SEC Consult Vulnerability Lab Security Advisory < 20171016-0 >
=======================================================================
title: Multiple vulnerabilities
product: Micro Focus VisiBroker C++
vulnerable version: 8.5 SP2
fixed version: 8.5 SP4 HF3
CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283
impact: High
homepage: https://www.microfocus.com/products/corba/visibroker/
found: 2017-04
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying,
and managing distributed applications. Built on open industry standards and a
high-performance architecture, VisiBroker is especially suited to low-latency,
complex, data-oriented, transaction-intensive, mission-critical environments.
Using VisiBroker(R), organizations can develop, connect, and deploy complex
distributed applications that have to meet very high performance and reliability
standards. With more than 30 million licenses in use, VisiBroker is the worldas
most widely deployed CORBA Object Request Broker (ORB) infrastructure."
URL: https://www.microfocus.com/products/corba/visibroker/
Business recommendation:
------------------------
During a superficial fuzzing test, SEC Consult found several memory corruption
vulnerabilities that allow denial of service attacks or potentially arbitrary
code execution. Although the fuzzing test only had a very limited coverage,
several vulnerabilities have been identified. Assuming the code quality is
homogenous, it is possible that other parts of the application exhibit similar
issues.
SEC Consult did not attempt to fully evaluate the potential impact of the
identified vulnerabilities.
SEC Consult recommends to decommission any VisiBroker C++ component that
communicates with untrusted entities until a full security audit has been
performed. Moreover, SEC Consult recommends to restrict network access to all
CORBA services that utilize the VisiBroker C++ environment.
Vulnerability overview/description:
-----------------------------------
1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281]
By specifying a large value for a length field, an integer overflow occurs.
As a result, the application reads memory until a non-mapped memory region
is reached. This causes the application to encounter a segmentation fault.
2) Integer Overflow (Heap Overwrite) [CVE-2017-9282]
By specifying a manipulated value for a length field an attacker can cause an
integer overflow. This causes the application to allocate too little memory.
When the application attempts to write to this memory buffer, heap memory is
overwritten leading to denial of service or potentially arbitrary code
execution.
3) Out of Bounds Read [CVE-2017-9283]
By specifying a manipulated value for a length field, an attacker can cause
the application to read past an allocated memory region.
4) Use after Free
SEC Consult found that the application under certain circumstances tries to
access a memory region that has been deallocated before.
It is unclear whether Micro Focus fixed the root cause of this behaviour. As
the vendor was unable to reproduce the vulnerability in the current version,
Micro Focus believes that the vulnerability was fixed with a previous update.
Since SEC Consult is unsure whether Micro Focus found the root cause of the
vulnerability, we refrain from releasing proof of concept code.
Proof of concept:
-----------------
A service implementing the following IDL was used to identify the
vulnerabilities listed here:
module Bank {
interface Account {
float balance(in string test);
};
interface AccountManager {
Account open(in string name);
};
};
The implemented service was based on the Visibroker example project
"bank_agent".
1) Integer Overflow / Out of Bounds Read (Denial of Service)
The method
CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put(
CORBA_MarshalOutBuffer *this,
const char *src,
unsigned int size)
is used to copy/append a char[] into a buffer. If the size of the data that is
stored in the buffer plus the size of the char[] to be appended exceeds the
allocated size, the method reallocates the buffer. By choosing the
size of the char[] as e.g. 0xffffffff (on 32 bit systems) an integer overflow
can be caused. The method then continues without allocating additional memory.
However, the application then expects that the source buffer contains 0xffffffff
bytes of memory. Since this would exceed the available process memory on 32 bit
systems, the application's attempt to copy data to the destination buffer fails
with an out of bounds read.
The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010
2f62616e6b5f6167656e745f706f610000ffffff42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
83000000000000000000000e4a61636b20422e20517569636b00
2) Integer Overflow (Heap Overwrite)
The method
int __cdecl CORBA::string_alloc(unsigned int size)
is used to allocate buffers for strings. Since it allocates size + 1 bytes of
heap memory, specifying 0xffffffff causes an integer overflow leading to the
allocation of 0 bytes. This causes heap memory to be overwritten.
SEC Consult was able to use the following request to cause corruption of heap
structures:
47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
8300000000000000ffffffff4a61636b20422e20517569636b00
3) Out of Bounds Read
The constructor
int __cdecl VISServiceId::VISServiceId(
VISServiceId *this,
CORBA_MarshalInBuffer *a2,
unsigned __int32 a3,
unsigned __int8 *a4)
parses the GIOP key address. The VisiBroker key address consists of two strings.
Before each string, a long (32 bit) value specifies the length of the
string. To calculate the offset of the second string, the size of the first
string is used. If this value is chosen so that the offset of the second string
is outside of the GIOP message, an out of bounds read occurs.
The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d430000000480000000
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e
0000000000000002000000010000000c000000000001000100010109564953060000000500070801
83000000000000000000000e4a61636b20422e20517569636b00
4) Use after Free / Denial of Service
Micro Focus did not clearly state that the root cause of the vulnerability has
been fixed. As a precaution we refrain from releasing proof of concept code.
Vulnerable / tested versions:
-----------------------------
At least VisiBroker C++ 8.5 SP2 has been found to be vulnerable. According to
the vendor VisiBroker 8.5 prior to SP4 HF3 are vulnerable to issues #1 - #3.
Vendor contact timeline:
------------------------
2017-05-03: Contacting vendor through security@microfocus.com, attaching
encrypted security advisory
2017-05-03: Vendor: will inform us about the timeframe once the findings
have been reproduced
2017-05-26: Vendor: were able to reproduce first 3 issues; requested
further information for vulnerability #4
2017-05-30: Providing further information for vulnerability #4
2017-06-21: Requesting status update
2017-06-28: Vendor: First three issues have been fixed by the development team,
"They have reproduced the fourth and are working on it now."
2017-06-30: Vendor: Patch will be available in a few weeks
2017-07-28: Requesting status update
2017-08-02: Vendor: There is no fixed release date for the patch yet
2017-08-28: Vendor: Initial test run found an issue that has been fixed
2017-09-15: Requesting status update
2017-09-15: Vendor: "The patches were just released on the 12th and 13th"
2017-09-18: Asking for further information about CVEs, affected versions
2017-09-21: Vendor: Issue #4 has not been fixed since the team was unable to
reproduce it (the vendor stated that the issue has been reproduced,
see 2017-06-26). "They [the team] believe it was already fixed by
an earlier modification."
2017-09-27: Requesting clarification for issue #4
2017-09-27: Vendor: The team initially thought they had reproduced the issue;
this was an unrelated issue that was fixed as well.
2017-10-16: Public release of the advisory;
Solution:
---------
Upgrade to version 8.5 Service Pack 4 Hotfix 3. The release notes with
information on how to obtain this hotfix can be obtained here:
https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfix-3-security-fixes
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF W. Ettlinger / @2017