Fujitsu Systemcast Wizard Lite PXE请求远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183936 漏洞类型 缓冲区溢出
发布时间 2009-01-19 更新时间 2009-02-17
CVE编号 CVE-2009-0270 CNNVD-ID CNNVD-200901-337
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/33342
https://cxsecurity.com/issue/WLB-2009010207
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-337
|漏洞详情
SystemcastWizardLite是用于创建富士通PRIMEQUEST服务器系统的支持软件。SystemcastWizardLite的PXEService服务监听PXE协议请求。入站报文被拷贝到了0x400字节的固定缓冲区,但传送给recvfrom()的参数长度为0x5DC,因此如果远程攻击者发送了超过0x400字节的特制upd报文的话,就可以触发溢出,导致执行任意指令。
|漏洞EXP

[ Wintercore Research:: Advisory W01-0109 ]

html version: http://www.wintercore.com/advisories/advisory_W010109.html

1. Background

"SystemcastWizard Lite is support software for the setup of the
PRIMEQUEST system"

2. Non-technical description

PXEService.exe is prone to a remote buffer overflow due to improper
bounds checking when handling PXE requests.

A remote unauthenticated  malicious attacker can take advantage of this
flaw to execute arbitrary code by sending a specially crafted UDP packet.

3.  Technical Description.

PXEService listens for PXE protocol Request. Incoming packets are copied
into a fixed buffer of 0x400 bytes. However the argument passed in to
"recvfrom()" as len is 0x5DC, therefore if an attacker is able to send a
specially crafted upd packet which exceeds that fixed length (0x400), an
overflow condition will occur. With enough crafting, an attacker can
take advantage of this flaw to execute arbitrary code on affected systems.

V4.0L11
MD5: 0C18CC97F02844445C805BB0986D6A4E

Module: PXEService.exe (32-bit)                             Overflow

.text:00402789 push eax ; fromlen
.text:0040278A lea ecx, [esp+20h+from]
.text:0040278E push ecx ; from
.text:0040278F push 0 ; flags
.text:00402791 push 5DCh ; len [FLAW]
.text:00402796 push offset byte_414970 ; fixed buffer 0x400
.text:0040279B push edx ; s
.text:0040279C mov [esp+34h+fromlen], 10h
.text:004027A4 call recvfrom ; BUFFER OVERFLOW

4. Exploiting it.

The exploit is trivial.

5.  References

http://www.fujitsu.com/global/services/computing/server/primequest/produ
cts/os/windows-server-2008-2.html

Advisory (English)

http://www.fujitsu.com/global/services/computing/server/primequest/downl
oads/

Patch

http://primeserver.fujitsu.com/primequest/products/os/windows2008.html
(Japanese)
http://primeserver.fujitsu.com/primequest/download/?from=relatedlinks
Patch (Japanese)

6.  Products Affected

SystemcastWizard Lite <= 2.0

7.  Credits

Vulnerability discovered and researched by Ruben Santamarta, Wintercore.

8.  Disclosure Timeline

05/26/2008	- Vendor Contacted
05/29/2008	- Vendor Acknowledged.
01/16/2009	- Coordinated disclosure

--

Wintercore
C/ Isla de Salvora, 180.
28400 Collado Villalba.
Spain
Phone: +(34) 91 849 98 89
www.wintercore.com
|受影响的产品
Fujitsu Systemcast Wizard Lite 2.0a Fujitsu Systemcast Wizard Lite 2.0 Fujitsu Systemcast Wizard Lite 1.9 Fujitsu Systemcast Wizard Lite 1.8a Fujitsu Systemcast Wizard Lite 1.8
|参考资料

来源:www.fujitsu.com
链接:http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html
来源:MISC
链接:http://www.wintercore.com/advisories/advisory_W010109.html
来源:BID
名称:33342
链接:http://www.securityfocus.com/bid/33342
来源:BUGTRAQ
名称:20090119[WintercoreResearch]FujitsuSystemcastWizardLitePXEServiceRemoteBufferOverflow.
链接:http://www.securityfocus.com/archive/1/archive/1/500172/100/0/threaded
来源:VUPEN
名称:ADV-2009-0176
链接:http://www.frsirt.com/english/advisories/2009/0176
来源:SECUNIA
名称:33594
链接:http://secunia.com/advisories/33594
来源:OSVDB
名称:51486
链接:http://osvdb.org/51486