SEC Consult Vulnerability Lab Security Advisory < 20150519-0 >
=======================================================================
title: Kernel Stack Buffer Overflow
product: KCodes NetUSB
vulnerable version: see Vulnerable / tested versions
fixed version: see Solution
CVE number: CVE-2015-3036, VU#177092
impact: Critical
homepage: www.kcodes.com
found: 2015-02-23
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"The world's premier technology provider of mobile printing, audio and
video communication, file sharing, and USB applications for iPhones,
iPads, smart phones and tablets (Android and Windows), MacBooks, and
Ultrabooks."
Source: www.kcodes.com
Vulnerability overview/description:
-----------------------------------
NetUSB suffers from a remotely exploitable kernel stack buffer overflow.
Because of insufficient input validation, an overly long computer name can be
used to overflow the "computer name" kernel stack buffer. This results in
memory corruption which can be turned into arbitrary remote code execution.
Furthermore, a more detailed summary of this advisory has been published at our
blog: blog.sec-consult.com
Proof of concept:
-----------------
Below is an excerpt from the vulnerable run_init_sbus() function (pseudo code):
int computername_len;
char computername_buf[64];
// connection initiation, handshake
len = ks_recv(sock, &computername_len, 4, 0);
// ...
len = ks_recv(sock, computername_buf, computername_len, 0); // boom!
A proof of concept "netusb_bof.py" has been developed which exploits the
vulnerability. The PoC DoS exploit will not be published as many vendors
did not patch the vulnerability yet.
Example use that results in denial-of-service (kernel memory corruption that
results in a device reboot):
./netusb_bof.py 192.168.1.1 20005 500
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in most recent firmware versions
of the following devives:
TP-Link TL-WDR4300 V1
TP-Link WR1043ND v2
NETGEAR WNDR4500
Furthermore we've identified NetUSB in the most recent firmware version of the
following products (list is not necessarily complete!):
D-Link DIR-615 C
NETGEAR AC1450
NETGEAR CENTRIA (WNDR4700/4720)
NETGEAR D6100
NETGEAR D6200
NETGEAR D6300
NETGEAR D6400
NETGEAR DC112A
NETGEAR DC112A (Zain)
NETGEAR DGND4000
NETGEAR EX6200
NETGEAR EX7000
NETGEAR JNR3000
NETGEAR JNR3210
NETGEAR JR6150
NETGEAR LG6100D
NETGEAR PR2000
NETGEAR R6050
NETGEAR R6100
NETGEAR R6200
NETGEAR R6200v2
NETGEAR R6220
NETGEAR R6250
NETGEAR R6300v1
NETGEAR R6300v2
NETGEAR R6700
NETGEAR R7000
NETGEAR R7500
NETGEAR R7900
NETGEAR R8000
NETGEAR WN3500RP
NETGEAR WNDR3700v5
NETGEAR WNDR4300
NETGEAR WNDR4300v2
NETGEAR WNDR4500
NETGEAR WNDR4500v2
NETGEAR WNDR4500v3
NETGEAR XAU2511
NETGEAR XAUB2511
TP-LINK Archer C2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer C20 V1.0 (Not affected)
TP-LINK Archer C20i V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer C5 V1.2 (Fix planned before 2015/05/22)
TP-LINK Archer C5 V2.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V2.0 (Fix already released)
TP-LINK Archer C8 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C9 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D5 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7B V1.0 (Fix planned before 2015/05/31)
TP-LINK Archer D9 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer VR200v V1.0 (Fix already released)
TP-LINK TD-VG3511 V1.0 (End-Of-Life)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/31)
TP-LINK TD-W1042ND V1.0 (End-Of-Life)
TP-LINK TD-W1043ND V1.0 (End-Of-Life)
TP-LINK TD-W8968 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V2.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8970 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8970 V3.0 (Fix already released)
TP-LINK TD-W8970B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8980 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W9980 V1.0 (Fix already released)
TP-LINK TD-W9980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-WDR4900 V1.0 (End-Of-Life)
TP-LINK TL-WR1043ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1043ND V3.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1045ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR3500 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR3600 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR4300 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR842ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR842ND V1.0 (End-Of-Life)
TP-LINK TX-VG1530(GPON) V1.0 (Fix planned before 2015/05/31)
Trendnet TE100-MFP1 (v1.0R)
Trendnet TEW-632BRP (A1.0R)
Trendnet TEW-632BRP (A1.1R/A1.2R)
Trendnet TEW-632BRP (A1.1R/A1.2R/A1.3R)
Trendnet TEW-634GRU (v1.0R)
Trendnet TEW-652BRP (V1.0R)
Trendnet TEW-673GRU (v1.0R)
Trendnet TEW-811DRU (v1.0R)
Trendnet TEW-812DRU (v1.0R)
Trendnet TEW-812DRU (v2.xR)
Trendnet TEW-813DRU (v1.0R)
Trendnet TEW-818DRU (v1.0R)
Trendnet TEW-823DRU (v1.0R)
Trendnet TEW-MFP1 (v1.0R)
Zyxel NBG-419N v2
Zyxel NBG4615 v2
Zyxel NBG5615
Zyxel NBG5715
Based on information embedded in KCodes drivers we believe the following
vendors are affected:
Allnet
Ambir Technology
AMIT
Asante
Atlantis
Corega
Digitus
D-Link
EDIMAX
Encore Electronics
Engenius
Etop
Hardlink
Hawking
IOGEAR
LevelOne
Longshine
NETGEAR
PCI
PROLiNK
Sitecom
Taifa
TP-LINK
TRENDnet
Western Digital
ZyXEL
Vendor contact timeline:
------------------------
2015-02-28: Contacting vendor through support@kcodes.com
2015-03-04: No response, contacting various KCodes addresses found on the web.
2015-03-05: Vendor responds, requests more information.
2015-03-05: Providing advisory and proof of concept exploit.
2015-03-16: No response, requesting status update.
2015-03-16: Vendor responds, asks about fix verification(?)
2015-03-16: Requesting clarification about fixing status and information about
next steps. Proposing conference call dates.
2015-03-19: No response, informing that notification of CERT/CC and selected
vendors will start shortly. Requesting clarification about fixing
status and information about next steps again.
2015-03-19: Vendor responds, confirms conference call date (2015-03-25). No
further information provided.
2015-03-19: Providing advisory and proof of concept exploit to TP-LINK and
NETGEAR.
2015-03-25: Vendor cancels conference call on short notice (sudden week-long
business trip).
2015-03-26: Asking for support of CERT/CC regarding vendor coordination.
2015-03 - 2015-05: Coordination between CERT & vendors, NETGEAR and TP-LINK
2015-05-13: Notifying German CERT-Bund and Austrian CERT.at
2015-05-19: Coordinated release of security advisory
Solution:
---------
TP-LINK has started releasing fixed firmware. The status of affected products
can be found in the affected product list above.
For additional information also see CERT/CC vulnerability notice:
www.kb.cert.org/vuls/id/177092
Workaround:
-----------
Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR
devices this does not mitigate the vulnerability. NETGEAR told us, that there is
no workaround available, the TCP port can't be firewalled nor is there a way to
disable the service on their devices.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF Stefan Viehböck / @2015