SBLIM SFCBs up to 1.3.7 pre-auth remote integer and heap overflow

2010-06-03 / 2010-06-04
Credit: Agarri
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1937 | CVE-2010-2054
CWE: CWE-119
CWE-189

[=] Product overview SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM is a set of technologies aimed to monitor and administer (larges) pools of computing ressources, applications, hardware. It's used by computers management tools like HP Systems Insight Manager, VMware vSphere or IBM Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS) and is used in many Linux distributions and some VMware / Dell products. [=] Vulnerabilities * CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow using a forged Content-Length header When parsing a HTTP request, SFCB will use any positive Content-Length value to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a small value in the Content-Length header and more data in the POST body, it's possible to overflow the previously allocated heap buffer. Vulnerable versions : up to 1.3.7 * CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow using a forged Content-Length header If the configuration option "httpMaxContentLength" is explicitly set to 0, SFCB will only check that the Content-Length value is positive and lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to overflow a buffer of size 1 to 7. Vulnerable versions : from 1.3.4 to 1.3.7 [=] Note about VMware products VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified version of SFCB (v1.3.3 in ESX 4). However they were tested as non vulnerable : - CVE-2010-1937 has been silently patched in WMware products - CVE-2010-2054 doesn't affect versions lower than 1.3.4 [=] Mitigating factors None : - SSL authentication isn't used by SFCB - bugs are triggered before any HTTP-layer credential check - POST and M-POST are default methods used by WBEM [=] Vectors These vulnerabilities can be triggered by default on port TCP/5988 (HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests. [=] Solution Upgrade to version 1.3.8 [=] Links SBLIM SFCB : http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb WBEM : http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management CVE-2010-1937 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937 CVE-2010-2054 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054 SFCB bug #3001896 : http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784 SFCB bug #3001915 : http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784 Regards, Nicolas Grgoire / Agarri

References:

http://www.vupen.com/english/advisories/2010/1312
http://sourceforge.net/tracker/index.php?func=detail&aid=3001915&group_id=128809&atid=712784
http://secunia.com/advisories/40018
http://sblim.cvs.sourceforge.net/viewvc/sblim/sfcb/httpAdapter.c?r1=1.85&r2=1.86
http://marc.info/?l=bugtraq&m=127549079109192&w=2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top