Date: Wed, 2 Jun 2010 08:46:12 +0200 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: SFCB vulnerabilities FYI, there have been plenty of other bugs inside sblim-sfcb, including format string vulns in mlogf(). Dunno when they fixed that upstream, but our sblim did that in 2008. Unfortunally they seem to re-introduce these bugs in other sblims like sblim-gather. Did you look at that too? Sebastian On Tue, Jun 01, 2010 at 10:21:55PM +0200, Nicolas Grégoire wrote: > Le mardi 01 juin 2010 à 13:52 -0400, Josh Bressers a écrit : > > Please use CVE-2010-2054 > > Thanks. > My advisory is attached to this mail. > > Regards, > Nicolas Grégoire / Agarri > > SFCB "Content-Length" heap overflow > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > [=] Product overview > > SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM is a set of technologies aimed to monitor and administer (larges) pools of computing ressources, applications, hardware. It's used by computers management tools like HP Systems Insight Manager, VMware vSphere or IBM Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS) and is used in many Linux distributions and some VMware / Dell products. > > [=] Vulnerabilities > > * CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow using a forged Content-Length header > > When parsing a HTTP request, SFCB will use any positive Content-Length value to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a small value in the Content-Length header and more data in the POST body, it's possible to overflow the previously allocated heap buffer. > > Vulnerable versions : up to 1.3.7 > > * CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow using a forged Content-Length header > > If the configuration option "httpMaxContentLength" is explicitly set to 0, SFCB will only check that the Content-Length value is positive and lower than UINT_MAX and then use it (adding 8) to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to overflow a buffer of size 1 to 7. > > Vulnerable versions : from 1.3.4 to 1.3.7 > > [=] Note about VMware products > > VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified version of SFCB (v1.3.3 in ESX 4). However they were tested as non vulnerable : > - CVE-2010-1937 has been silently patched in WMware products > - CVE-2010-2054 doesn't affect versions lower than 1.3.4 > > [=] Mitigating factors > > None : > - SSL authentication could mitigate this bug but isn't used by SFCB > - the bug is triggered before any HTTP-layer credential checks > - POST and M-POST are default methods used by WBEM > > [=] Vectors > > These vulnerabilities can be triggered by default on port TCP/5988 (HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests. > > [=] Solution > > Upgrade to version 1.3.8 > > [=] Links > > SBLIM SFCB : > http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb > WBEM : > http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management > > CVE-2010-1937 : > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937 > CVE-2010-2054 : > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054 > > SFCB bug #3001896 : > http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784 > SFCB bug #3001915 : > http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784 > > Regards, > Nicolas Grégoire / Agarri -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.