sblim-sfcb: lookupProviders() null pointer dereference

2015.08.21

Credit: Kurt Seifried

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2015-5185

CWE: CWE-Other

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

So the reporter specifically asked us to handle disclosure just now, sohere you go:

Qinghao Tang of QIHU 360 reports:

The function lookupProviders() in sblim-sfcb of version 1.3.4 and 1.3.18 exists a null dereference vulnerability , a remote attacher can cause a denial of servise (sblim-sfcb crash) via a crafted packet without "className" info.

Let`s see how this issue happened,the code below is from
./sblim-sfcb-1.3.18/providerMgr.c :

static UtilList *lookupProviders(long type, char *className, char
*nameSpace,
CMPIStatus *st)
{
UtilList *lst;
UtilHashTable **ht=provHt(type,1);
char *id;
int rc;

_SFCB_ENTER(TRACE_PROVIDERMGR, "lookupProviders");

//here, className should be checked
id=(char*)malloc(strlen(nameSpace)+strlen(className)+8);
strcpy(id,nameSpace);
strcat(id,"|");

...

}

Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5185

-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud

References:

http://seclists.org/oss-sec/2015/q3/414

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

sblim-sfcb: lookupProviders() null pointer dereference

References:

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

sblim-sfcb: lookupProviders() null pointer dereference

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.