Juniper Installer Service Stack Buffer Overflow Vulnerability
I. BACKGROUND
Juniper Installer Service is a client side component, which allows users with limited privileges to maintain client side components necessary for use with Juniper IVE OS network appliances. For more information see the vendor's website at the following link.
http://kb.juniper.net/KB9084
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in Juniper Networks Inc.'s Juniper Installer Service, as included in several Juniper client side applications, could allow an attacker to execute arbitrary code with SYSTEM privileges.
The Juniper Installer Service utilizes a named pipe for component installation management commands. Specifically, the commands DSSETUPSERVICE_CMD_INSTALLFILE, DSSETUPSERVICE_CMD_UNINSTALL, DSSETUPSERVICE_CMD_PING, and DSSETUPSERVICE_CMD_REGISTER are recognized by the Installer Service. The DSSETUPSERVICE_CMD_UNINSTALL command handles user supplied data incorrectly, which leads to a stack-based buffer overflow.
III. ANALYSIS
Exploitation of this vulnerability allows an attacker to execute arbitrary code on the targeted machine with SYSTEM privileges. An attacker would need to have access to the named pipe (\\Device\\LanmanRedirector\\%SERVERNAME%\\pipe\\NeoterisSetupService) created by the Juniper Installer Service. The attacker would need to craft a malformed DSSETUP_CMD_UNINSTALL command, which contains an overly large string to trigger the buffer overflow. The service automatically restarts when the service crashes. This gives an attacker many chances to attempt to exploit this issue.
IV. DETECTION
The Juniper Installer Service (dsInstallerService.dll) as included with Juniper's Odyssey Access Client version 4.72.11421.0 was tested and found to be vulnerable. Previous versions may also be vulnerable. It is important to note that Juniper supports several products, which include the Juniper Installer Service. These products may also be vulnerable to this issue.
V. WORKAROUND
iDefense recommends disabling the Juniper Unified Network Service. This workaround may impact component management on the client side.
VI. VENDOR RESPONSE
Hewlett-Packard Development Co. LP (HP) has released a patch which addresses this issue. Information about vendor updates can be found by clicking on the URLs shown. This information is only available to Juniper customers with a valid login.
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlert
Number=PSN-2009-10-540&viewMode=view
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
10/28/2008 - Initial Contact
10/29/2008 - PoC Sent
12/03/2009 - Public disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Ruben Santamarta.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.