Fujitsu SystemcastWizard Lite PXEService Remote Buffer Overflow.

2009.01.28
Credit: wintercore
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

[ Wintercore Research:: Advisory W01-0109 ] html version: http://www.wintercore.com/advisories/advisory_W010109.html 1. Background "SystemcastWizard Lite is support software for the setup of the PRIMEQUEST system" 2. Non-technical description PXEService.exe is prone to a remote buffer overflow due to improper bounds checking when handling PXE requests. A remote unauthenticated malicious attacker can take advantage of this flaw to execute arbitrary code by sending a specially crafted UDP packet. 3. Technical Description. PXEService listens for PXE protocol Request. Incoming packets are copied into a fixed buffer of 0x400 bytes. However the argument passed in to "recvfrom()" as len is 0x5DC, therefore if an attacker is able to send a specially crafted upd packet which exceeds that fixed length (0x400), an overflow condition will occur. With enough crafting, an attacker can take advantage of this flaw to execute arbitrary code on affected systems. V4.0L11 MD5: 0C18CC97F02844445C805BB0986D6A4E Module: PXEService.exe (32-bit) Overflow .text:00402789 push eax ; fromlen .text:0040278A lea ecx, [esp+20h+from] .text:0040278E push ecx ; from .text:0040278F push 0 ; flags .text:00402791 push 5DCh ; len [FLAW] .text:00402796 push offset byte_414970 ; fixed buffer 0x400 .text:0040279B push edx ; s .text:0040279C mov [esp+34h+fromlen], 10h .text:004027A4 call recvfrom ; BUFFER OVERFLOW 4. Exploiting it. The exploit is trivial. 5. References http://www.fujitsu.com/global/services/computing/server/primequest/produ cts/os/windows-server-2008-2.html Advisory (English) http://www.fujitsu.com/global/services/computing/server/primequest/downl oads/ Patch http://primeserver.fujitsu.com/primequest/products/os/windows2008.html (Japanese) http://primeserver.fujitsu.com/primequest/download/?from=relatedlinks Patch (Japanese) 6. Products Affected SystemcastWizard Lite <= 2.0 7. Credits Vulnerability discovered and researched by Ruben Santamarta, Wintercore. 8. Disclosure Timeline 05/26/2008 - Vendor Contacted 05/29/2008 - Vendor Acknowledged. 01/16/2009 - Coordinated disclosure -- Wintercore C/ Isla de Salvora, 180. 28400 Collado Villalba. Spain Phone: +(34) 91 849 98 89 www.wintercore.com

References:

http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html
http://www.wintercore.com/advisories/advisory_W010109.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top