Juniper Installer Service Stack Buffer Overflow Vulnerability I. BACKGROUND Juniper Installer Service is a client side component, which allows users with limited privileges to maintain client side components necessary for use with Juniper IVE OS network appliances. For more information see the vendor's website at the following link. http://kb.juniper.net/KB9084 II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Juniper Networks Inc.'s Juniper Installer Service, as included in several Juniper client side applications, could allow an attacker to execute arbitrary code with SYSTEM privileges. The Juniper Installer Service utilizes a named pipe for component installation management commands. Specifically, the commands DSSETUPSERVICE_CMD_INSTALLFILE, DSSETUPSERVICE_CMD_UNINSTALL, DSSETUPSERVICE_CMD_PING, and DSSETUPSERVICE_CMD_REGISTER are recognized by the Installer Service. The DSSETUPSERVICE_CMD_UNINSTALL command handles user supplied data incorrectly, which leads to a stack-based buffer overflow. III. ANALYSIS Exploitation of this vulnerability allows an attacker to execute arbitrary code on the targeted machine with SYSTEM privileges. An attacker would need to have access to the named pipe (\\Device\\LanmanRedirector\\%SERVERNAME%\\pipe\\NeoterisSetupService) created by the Juniper Installer Service. The attacker would need to craft a malformed DSSETUP_CMD_UNINSTALL command, which contains an overly large string to trigger the buffer overflow. The service automatically restarts when the service crashes. This gives an attacker many chances to attempt to exploit this issue. IV. DETECTION The Juniper Installer Service (dsInstallerService.dll) as included with Juniper's Odyssey Access Client version 4.72.11421.0 was tested and found to be vulnerable. Previous versions may also be vulnerable. It is important to note that Juniper supports several products, which include the Juniper Installer Service. These products may also be vulnerable to this issue. V. WORKAROUND iDefense recommends disabling the Juniper Unified Network Service. This workaround may impact component management on the client side. VI. VENDOR RESPONSE Hewlett-Packard Development Co. LP (HP) has released a patch which addresses this issue. Information about vendor updates can be found by clicking on the URLs shown. This information is only available to Juniper customers with a valid login. https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlert Number=PSN-2009-10-540&viewMode=view VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 10/28/2008 - Initial Contact 10/29/2008 - PoC Sent 12/03/2009 - Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Ruben Santamarta. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.