Cisco ASA WebVPN CIFS Handling Buffer Overflows

2017-02-18 / 2017-02-19
Credit: ochang
Risk: High
Local: No
Remote: Yes
CWE: CWE-119

CVSS Base Score: 8/10
Impact Subscore: 8.5/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Complete

Cisco ASA: Buffer overflows in WebVPN cifs handling CVE-2017-3807 The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct: http_cifs_context: +0x160 char* file_dir +0x168 char* file_name These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow. There appear to be various other places where the copying is done in an unsafe way: http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer. http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. Possibly http_add_query_str_from_context. There are probably others that I missed. Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist. Repro: Login to WebVPN portal, navigate to: <a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's. ("server" and "name" may be passed verbatim) *** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 *** ======= Backtrace: ========= /lib64/[0x7fa4139fc74f] /lib64/[0x7fa413a063ee] /lib64/[0x7fa413a09e99] /lib64/[0x7fa413a0b5a0] lina(+0x321976a)[0x7fa41a2b276a] lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83] lina(resMgrCalloc+0x100)[0x7fa419659410] lina(calloc+0x94)[0x7fa419589a34] lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608] lina(ewsServeFindDocument+0x142)[0x7fa418278192] lina(ewsServeStart+0x114)[0x7fa4182784a4] lina(ewsParse+0x19a0)[0x7fa418272cc0] lina(ewsRun+0x9c)[0x7fa41826955c] lina(emweb_th+0x6ab)[0x7fa418286aeb] lina(+0xde58ab)[0x7fa417e7e8ab] This was tested on 9.6(2) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: ochang

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top