Re: SFCB vulnerabilities

[Sebastian Krahmer <krahmer () suse de>]

FYI, there have been plenty of other bugs inside sblim-sfcb, including
format string vulns in mlogf(). Dunno when they fixed that upstream,
but our sblim did that in 2008.
Unfortunally they seem to re-introduce these bugs in other sblims
like sblim-gather. Did you look at that too?

Sebastian


On Tue, Jun 01, 2010 at 10:21:55PM +0200, Nicolas Grégoire wrote:
> Le mardi 01 juin 2010 à 13:52 -0400, Josh Bressers a écrit :
> > Please use CVE-2010-2054
>
> Thanks.
> My advisory is attached to this mail.
>
> Regards,
> Nicolas Grégoire / Agarri

>       SFCB "Content-Length" heap overflow
>       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> [=] Product overview
>
> SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM is a set of technologies aimed to monitor and 
> administer (larges) pools of computing ressources, applications, hardware. It's used by computers management tools 
> like HP Systems Insight Manager, VMware vSphere or IBM Director. SFCB usually listens on TCP ports 5988 (HTTP) or 
> 5989 (HTTPS) and is used in many Linux distributions and some VMware / Dell products.
>
> [=] Vulnerabilities
>
> * CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow using a forged Content-Length header
>
> When parsing a HTTP request, SFCB will use any positive Content-Length value to allocate a buffer. Then, memcpy tries 
> to copy the user-provided POST data in this buffer. By sending a small value in the Content-Length header and more 
> data in the POST body, it's possible to overflow the previously allocated heap buffer.
>
> Vulnerable versions : up to 1.3.7
>
> * CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow using a forged Content-Length header
>
> If the configuration option "httpMaxContentLength" is explicitly set to 0, SFCB will only check that the 
> Content-Length value is positive and lower than UINT_MAX and then use it (adding 8) to allocate a buffer. Then, 
> memcpy tries to copy the user-provided POST data in this buffer. By sending a value between UINT_MAX-7 and 
> UINT_MAX-1, it is possible to overflow a buffer of size 1 to 7.
>
> Vulnerable versions : from 1.3.4 to 1.3.7
>
> [=] Note about VMware products
>
> VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified version of SFCB (v1.3.3 in ESX 4). However they 
> were tested as non vulnerable :
> - CVE-2010-1937 has been silently patched in WMware products
> - CVE-2010-2054 doesn't affect versions lower than 1.3.4
>  
> [=] Mitigating factors
>
> None :
> - SSL authentication could mitigate this bug but isn't used by SFCB
> - the bug is triggered before any HTTP-layer credential checks
> - POST and M-POST are default methods used by WBEM
>
> [=] Vectors
>
> These vulnerabilities can be triggered by default on port TCP/5988 (HTTTP) or TCP/5989 (HTTPS), using POST or M-POST 
> requests.
>
> [=] Solution
>
> Upgrade to version 1.3.8
>
> [=] Links
>
> SBLIM SFCB :
> http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb
> WBEM :
> http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management
>
> CVE-2010-1937 :
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937
> CVE-2010-2054 :
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054
>
> SFCB bug #3001896 :
> http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784
> SFCB bug #3001915 :
> http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784 
>
> Regards,
> Nicolas Grégoire / Agarri


-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)