ASG-Sentry Network Manager 多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114737 漏洞类型 缓冲区溢出
发布时间 2008-03-10 更新时间 2008-09-05
CVE编号 CVE-2008-1320 CNNVD-ID CNNVD-200803-215
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/5229
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-215
|漏洞详情
ASG-SentryNetworkManager存在缓冲区溢出。远程攻击者通过(1)一个长的请求到达TCP端口6162上的FxIAList,或者(2)通过一个具有长的社区字符串的SNMP请求到达UDP端口6161上的FxAgent,以造成一个拒绝服务(崩溃)。
|漏洞EXP
#######################################################################

                             Luigi Auriemma

Application:  ASG-Sentry
              http://www.asg-sentry.com
Versions:     <= 7.0.0
Platforms:    Windows and Unix
Bugs:         A] arbitrary files deleting
              B] heap-overflow in FxAgent
              C] termination of FxIAList
              D] buffer-overflow in FxIAList
Exploitation: remote
Date:         10 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"The ASG-Sentry family of products is a suite of tools strategically
engineered to control, monitor, manage, and enhance your network.
Sentry's tools provide you with full visibility to your network from
any Web browser. Sentry also allows you to fully instrument your
company's applications, CPUs, disk space, memory, files, Windows and
UNIX platforms, and more."


#######################################################################

=======
2) Bugs
=======

---------------------------
A] arbitrary files deleting
---------------------------

The fcheck.exe (File Check Utility) CGI available in ASG is used for
handling some index files which contain a list of filenames and
checksums.

The -b option of this utility allows the creation of these index files
and is possible to specify both the name of the output file and,
optionally, the folder which will be scanned recursively for finding
and reading the various files to add to the list.

The first vulnerability is in the possibility for an external attacker
to use this CGI for overwriting existent files with no data (specifying
a new folder which will be created by the same program) or with the
list of filenames described before.
Naturally is possible to specify both files on the local disks or on
network shares.

The second effect instead is the possibility of occupying CPU and disk
for the scanning of any file in the disk simply specyfing, for example,
c:\ as folder.


---------------------------
B] heap-overflow in FxAgent
---------------------------

The FxAgent process running on UDP port 6161 is used for handling the
various SNMP requests.
A community field longer than 64 bytes can be used by an attacker to
exploit a heap-overflow.


--------------------------
C] termination of FxIAList
--------------------------

FxIAList is a service which runs on the TCP port 6162 and is used for
the logging operations which include the commands "exit", "trace on"
"verbose", "trace off" and the name of the log file to create
(xxxx.xx.xx) and its content.
The main problem is that the server doesn't require authentication so
anyone can send the "exit" command and the service will just terminate.


------------------------------
D] buffer-overflow in FxIAList
------------------------------

The same service described before is affected also by a stack based
buffer-overflow which happens during the copying of the data we want
to write to the log file (max 1023 bytes) in a buffer of only 500.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/asgulo.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/5229.zip (2008-asgulo.zip)

A]
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\
  http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt
    this link for the network share is correct because Apache converts
    any backslash to double so that one becomes \\host\\document.txt

B]
  nc SERVER 6161 -v -v -u < asgulo_fxagent.txt

C]
  nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt

D]
  nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################

# milw0rm.com [2008-03-10]
|参考资料

来源:XF
名称:asgsentry-fxialist-bo(41086)
链接:http://xforce.iss.net/xforce/xfdb/41086
来源:XF
名称:asgsentry-fxagent-bo(41082)
链接:http://xforce.iss.net/xforce/xfdb/41082
来源:BID
名称:28188
链接:http://www.securityfocus.com/bid/28188
来源:BUGTRAQ
名称:20080310MultiplevulnerabilitiesinASG-Sentry7.0.0
链接:http://www.securityfocus.com/archive/1/archive/1/489359/100/0/threaded
来源:MILW0RM
名称:5229
链接:http://www.milw0rm.com/exploits/5229
来源:VUPEN
名称:ADV-2008-0839
链接:http://www.frsirt.com/english/advisories/2008/0839/references
来源:SECUNIA
名称:29289
链接:http://secunia.com/advisories/29289
来源:MISC
链接:http://aluigi.altervista.org/adv/asgulo-adv.txt
来源:SREASON
名称:3737
链接:http://securityreason.com/securityalert/3737