sblim-sfcb: lookupProviders() null pointer dereference

2015.08.21
Credit: Kurt Seifried
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2015-5185
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

So the reporter specifically asked us to handle disclosure just now, sohere you go: Qinghao Tang of QIHU 360 reports: The function lookupProviders() in sblim-sfcb of version 1.3.4 and 1.3.18 exists a null dereference vulnerability , a remote attacher can cause a denial of servise (sblim-sfcb crash) via a crafted packet without "className" info. Let`s see how this issue happened,the code below is from ./sblim-sfcb-1.3.18/providerMgr.c : static UtilList *lookupProviders(long type, char *className, char *nameSpace, CMPIStatus *st) { UtilList *lst; UtilHashTable **ht=provHt(type,1); char *id; int rc; _SFCB_ENTER(TRACE_PROVIDERMGR, "lookupProviders"); //here, className should be checked id=(char*)malloc(strlen(nameSpace)+strlen(className)+8); strcpy(id,nameSpace); strcat(id,"|"); ... } Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5185 -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud

References:

http://seclists.org/oss-sec/2015/q3/414


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top