MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

Similar documents
MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

SA31675 / CVE

MWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

Microsoft Office Protected-View Out-Of- Bound Array Access

Analysis of MS Multiple Excel Vulnerabilities

Abysssec Research. 1) Advisory information. 2) Vulnerability Information. Class 1- Stack overflow. Impact

SA28083 / CVE

SA33901 / CVE

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

SA30285 / CVE

Autodesk AutoCAD DWG-AC1021 Heap Corruption

Exploits and gdb. Tutorial 5

Abysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

Buffer Overflows Defending against arbitrary code insertion and execution

16.317: Microprocessor Systems Design I Fall 2015

Microsoft Office Protected-View Out-Of- Bound Array Access

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures

Abysssec Research. 1) Advisory information. 2) Not vulnerable version

16.317: Microprocessor Systems Design I Fall 2014

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Program Exploitation Intro

SOEN228, Winter Revision 1.2 Date: October 25,

Is stack overflow still a problem?

Practical Malware Analysis

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

EECE.3170: Microprocessor Systems Design I Summer 2017

Buffer-Overflow Attacks on the Stack

How to perform the DDoS Testing of Web Applications

Secure coding practices

Assembly Language: Function Calls

Product Security Briefing

Università Ca Foscari Venezia

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Assembly Language: Function Calls" Goals of this Lecture"

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

The Geometry of Innocent Flesh on the Bone

Summary: Direct Code Generation

Assembly Language: Function Calls" Goals of this Lecture"

My other computer is YOURS!

OpenBSD Remote Exploit

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

POMP: Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts

IBM Integration Bus v9.0 System Administration: Course Content By Yuvaraj C Panneerselvam

Core GraphicsMemory Corruption CVE PDF Indexed colorspace buffer overflow

Buffer-Overflow Attacks on the Stack

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

SA30228 / CVE

Function Call Convention

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Basic Pentium Instructions. October 18

COSEINC WINDOWS ADVISORY #3

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

com_apple_avebridge::submi tdata NULL Dereference

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Microsoft Office CTaskSymbol Use- After-Free Vulnerability

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Computer Systems Lecture 9

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS

Digital Forensics Lecture 3 - Reverse Engineering

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Comparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/f-13 Labs

CanSecWest 2011, March Understanding and Exploiting Flash ActionScript Vulnerabilities -- Haifei Li, Sr. Security Researcher

Apology of 0days. Nicolás Waisman

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Data Exfiltration Techniques

Lecture 08 Control-flow Hijacking Defenses

com_apple_avebridge::query Completion Invalid Read

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

CS61 Section Solutions 3

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

Basic Concepts in Intrusion Detection

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

/ 28 HLL assembly Q4: Conditional instructions / 40 TOTAL SCORE / 100 EXTRA CREDIT / 10

Requirements for IT Infrastructure

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Transcription:

MWR InfoSecurity Security Advisory IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9

Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Introduction... 4 1.2 Technical Background... 5 1.3 Exploit Information... 6 1.4 Dependencies... 7 2 Recommendations... 8 2010-03-04 Page 2 of 9

rridecompress Remote Denial of Service rridecompress Remote Denial of Service Package Name: IBM WebSphere MQ Date: 2010-01-15 Affected Versions: WebSphere 7.0.0.2 on Windows are confirmed to be vulnerable. Other versions and platforms may also be affected by this issue. CVE Reference Author Severity Local/Remote Vulnerability Class Vendor URL Vendor Response Exploit Details Included CVE-2009-3159 A. Plaskett High Risk Remote Denial of service http://www-306.ibm.com/software/integration/wmq/ A patch is available from the following URL: http://www-01.ibm.com/support/docview.wss?uid=swg24024153 Yes (although no exploit code is provided). Proof of concept code is available on request. Overview: The WebSphere MQ service can be used to transfer messages between systems and applications. A vulnerability was identified with the packet handling routines which would allow a malicious attacker to cause a denial of service condition. Impact: This vulnerability could be exploited to prevent or disrupt legitimate users from accessing a Queue Manager. It is also possible that the MQ service could be forced to produce large memory dumps potentially disclosing sensitive information or resource exhaustion. Cause: The vulnerability is caused by an integer underflow in the function rridecompress which could allow an attacker to pass a large value to a memmove function size parameter. Interim Workaround: The use of SSL for authentication would mitigate this risk and restrict exploitation to those users in possession of a valid SSL client certificate. It is not expected that a security exit could prevent exploitation of this vulnerability, although only a limited number of exits have been tested at this point. Solution: The vendor supplied patches should be installed to resolve this issue. Links to the updated software can be found at the following location: http://www-01.ibm.com/support/docview.wss?uid= 2010-03-04 Page 3 of 9

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction WebSphere MQ is an Enterprise level application that can be used to provide a unified platform for messaging within an organisation. IBM describes their technology as follows: WebSphere MQ provides an award-winning messaging backbone for deploying your enterprise service bus (ESB) today as the connectivity layer of a service-orientated architecture (SOA). Source: http://www-306.ibm.com/software/integration/wmq/ Communication with MQ services can be achieved in a number of ways and the technology requires a feature rich API and extensions in order to integrate with an Enterprise environment. The main component of a WebSphere MQ instance is the Queue Manager. This is a process that manages the message queues and provides interfaces (known as channels) to the applications wishing to communicate with them. By default, a Queue Manager will listen on a network interface for incoming connections and process the data accordingly. A Queue Manager will accept any type of MQ data and begin processing it before determining whether the packet is authorised or has been received at the correct point within the application s state machine. The result of this fact is that a large amount of MQ code is exposed to unauthenticated users. Consequently, any vulnerability in the code used to parse the data after it has been passed from the network socket can potentially be exploited by an attacker. After receiving data from the network socket the MQ application will process and parse the data in various ways. The exact nature of this parsing is not within the scope of this document; however, it is important to note that a large amount of this activity occurs before a connection to the Queue Manager is fully established. Once the parsing has been completed MQ will check whether the state machine is setup such that the packet belongs to a session that has been correctly established with the Queue Manager at the application level. 2010-03-04 Page 4 of 9

Detailed Vulnerability Description 1.2 Technical Background An integer underflow vulnerability was identified within the function rridecompress which could lead to a large value being passed as the size parameter to the memmove operation. This size would be larger than expected by the application and would result in an access attempt to unmapped memory, thus causing the process amqrmppa to be terminated. The following code is taken from the rridecompress function and illustrates that the ESI register is populated with a value obtained from the packet..text:4e8e5ba6 and byte ptr [ebx+0bh], 0FBh.text:4E8E5BAA mov esi, [esp+80h+var_60] The ESI register is loaded with the segment size of the packet from the TSHM section of the packet. This value will later be used in further operations before being passed to a call to the memmove function. The processing continues as illustrated here:.text:4e8e5bae xor eax, eax.text:4e8e5bb0 cmp byte ptr [ebx+9], 4.text:4E8E5BB4 mov ecx, esi.text:4e8e5bb6 setz al.text:4e8e5bb9 lea eax, ds:2ch[eax*4] The EAX register is initially zeroed by the XOR operation. The segment type value read from the TSHM section of the packet (EBX+9) is then used to compare against the constant value 4. The ECX register is then loaded with the size of the packet from the ESI register (after it has been converted from a TSHM segment to a TSH segment). The register state resulting from this operation is such that the AL register is then not set. This results in the constant value 0x2C being loaded into the EAX register by the LEA instruction..text:4e8e5bc0 sub ecx, eax.text:4e8e5bc2 add ebx, eax.text:4e8e5bc4 sub ecx, 4.text:4E8E5BC7 push ecx ; size_t.text:4e8e5bc8 lea edx, [ebx+4].text:4e8e5bcb push edx ; void *.text:4e8e5bcc push ebx ; void *.text:4e8e5bcd call ds: imp memmove The value held in EAX (constant size 0x2C) is then subtracted from the attacker controlled ECX register (previously populated by a value derived from the TSH segment size). If the attacker controlled ECX register is less than 0x2C then an integer underflow occurs which results in a large number. The value is then decreased even further when the subsequent sub instruction occurs. The ECX value is then passed to the memmove call which causes a trap (Access Violation) to occur because it attempts to read beyond the extent of the memory that is mapped. This results in a denial of service of the amqrmppa process as it is terminated at this point. 2010-03-04 Page 5 of 9

Detailed Vulnerability Description 1.3 Exploit Information To exploit this vulnerability a packet must be crafted which triggers a call to the rridecompress function. The following MQ trace output shows the call stack for reaching this function. 00003143 16:40:59.966764 1524.3 RSESS:000001 -----{ cciprocessuserdata 00003144 16:40:59.966774 1524.3 RSESS:000001 ------{ cciprocessasyncrcv 00003145 16:40:59.966784 1524.3 RSESS:000001 -------{ rriserverasyncrcv 00003146 16:40:59.966793 1524.3 RSESS:000001 --------{ ccxgetuserdata 00003147 16:40:59.966803 1524.3 RSESS:000001 --------} ccxgetuserdata (rc=ok) 00003148 16:40:59.967073 1524.3 RSESS:000001 --------{ rridecompress 00003149 16:40:59.967103 1524.3 RSESS:000001 Just removing CSH for SegmentType : 0x5 0000314A 16:40:59.967712 1524.3 RSESS:000001 ---------{ xcsffst 0000314B 16:40:59.967737 1524.3 RSESS:000001!! - ErrorCode :- 20006119 Numeric Insert1 :- 00000000 (0) Numeric Insert2 :- 00000000 (0) 0000314C 16:40:59.967748 1524.3 RSESS:000001!! - Access Violation at address 01AFD000 when reading A malicious status packet (0x5 segment type) can be constructed which will be handled by the rridecompress function. The following fields are those which can be set in the packet to trigger the rridecompress function in an unexpected manner. All other data should be set according to the format of a valid Status packet. Field Name TSHM segment length TSHM unknown field 1 TSHM segment type TSHM Reserved flag Value 0x2D (Becomes 0x25 after conversion) 0x01 0x05 0x14 By sending the above packet it was possible to cause an underflow to occur in the following code:.text:4e8e5bc0 sub ecx, eax ; eax = 0x2C 0x25-0x2C = 0xfffffff.text:4E8E5BC2 add ebx, eax.text:4e8e5bc4 sub ecx, 4 ; ecx = 0xfffffff9-4 = ecx = 0xfffffff5.text:4E8E5BC7 push ecx ; size_t ecx = 0xfffffff.text:4E8E5BC8 lea edx, [ebx+4].text:4e8e5bcb push edx ; void *.text:4e8e5bcc push ebx ; void *.text:4e8e5bcd call ds: imp memmove It is expected that this issue is not further exploitable because of the size of the buffer which is allocated (as this is much larger than the size an attacker could reliably control and overflow). However, because of the inherently dangerous nature of memory corruption vulnerabilities and the fact that the only mitigating control 2010-03-04 Page 6 of 9

Detailed Vulnerability Description available in this instance is the use of SSL, it is recommended that this issue should be addressed in an appropriate manner. 1.4 Dependencies Initial testing indicated that it would be possible to prevent this specific, vulnerable code path being executed by the use of a security exit. However, the security exit tested amqrspin.dll was prone to another issue which would cause an earlier access violation to happen which would also cause the process amqrmppa to terminate. Consequently, this issue is rated as high risk as an unauthorised attacker could cause the amqrmppa process to terminate regardless of whether a security exit had been implemented or not. The use of SSL for authentication would mitigate this risk and restrict exploitation to those users in possession of a valid SSL client certificate. 2010-03-04 Page 7 of 9

Recommendations 2 Recommendations It is recommended that all users install the appropriate security patches released by the vendor in response to this issue. Links to the updated software can be found at the following location: http://www-01.ibm.com/support/docview.wss?uid=swg24024153 2010-03-04 Page 8 of 9

Error! No MWR text of InfoSecurity specified style in document. St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2010-03-04 Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback