Kernel Stack Buffer Overflow in KCodes NetUSB

SEC Consult Vulnerability Lab Security Advisory < 20150519-0 >

=======================================================================

title: Kernel Stack Buffer Overflow

product: KCodes NetUSB

vulnerable version: see Vulnerable / tested versions

fixed version: see Solution

CVE number: CVE-2015-3036, VU#177092

impact: Critical

homepage: www.kcodes.com

found: 2015-02-23

by: Stefan Viehböck (Office Vienna)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"The world's premier technology provider of mobile printing, audio and

video communication, file sharing, and USB applications for iPhones,

iPads, smart phones and tablets (Android and Windows), MacBooks, and

Ultrabooks."

Source: www.kcodes.com

Vulnerability overview/description:

-----------------------------------

NetUSB suffers from a remotely exploitable kernel stack buffer overflow.

Because of insufficient input validation, an overly long computer name can be

used to overflow the "computer name" kernel stack buffer. This results in

memory corruption which can be turned into arbitrary remote code execution.

Furthermore, a more detailed summary of this advisory has been published at our

blog: blog.sec-consult.com

Proof of concept:

-----------------

Below is an excerpt from the vulnerable run_init_sbus() function (pseudo code):

int computername_len;
char computername_buf[64];
// connection initiation, handshake
len = ks_recv(sock, &computername_len, 4, 0);
// ...
len = ks_recv(sock, computername_buf, computername_len, 0); // boom!

A proof of concept "netusb_bof.py" has been developed which exploits the

vulnerability. The PoC DoS exploit will not be published as many vendors

did not patch the vulnerability yet.

Example use that results in denial-of-service (kernel memory corruption that

results in a device reboot):

./netusb_bof.py 192.168.1.1 20005 500

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in most recent firmware versions

of the following devives:

TP-Link TL-WDR4300 V1

TP-Link WR1043ND v2

NETGEAR WNDR4500

Furthermore we've identified NetUSB in the most recent firmware version of the

following products (list is not necessarily complete!):

D-Link DIR-615 C

NETGEAR AC1450

NETGEAR CENTRIA (WNDR4700/4720)

NETGEAR D6100

NETGEAR D6200

NETGEAR D6300

NETGEAR D6400

NETGEAR DC112A

NETGEAR DC112A (Zain)

NETGEAR DGND4000

NETGEAR EX6200

NETGEAR EX7000

NETGEAR JNR3000

NETGEAR JNR3210

NETGEAR JR6150

NETGEAR LG6100D

NETGEAR PR2000

NETGEAR R6050

NETGEAR R6100

NETGEAR R6200

NETGEAR R6200v2

NETGEAR R6220

NETGEAR R6250

NETGEAR R6300v1

NETGEAR R6300v2

NETGEAR R6700

NETGEAR R7000

NETGEAR R7500

NETGEAR R7900

NETGEAR R8000

NETGEAR WN3500RP

NETGEAR WNDR3700v5

NETGEAR WNDR4300

NETGEAR WNDR4300v2

NETGEAR WNDR4500

NETGEAR WNDR4500v2

NETGEAR WNDR4500v3

NETGEAR XAU2511

NETGEAR XAUB2511

TP-LINK Archer C2 V1.0 (Fix planned before 2015/05/22)

TP-LINK Archer C20 V1.0 (Not affected)

TP-LINK Archer C20i V1.0 (Fix planned before 2015/05/25)

TP-LINK Archer C5 V1.2 (Fix planned before 2015/05/22)

TP-LINK Archer C5 V2.0 (Fix planned before 2015/05/30)

TP-LINK Archer C7 V1.0 (Fix planned before 2015/05/30)

TP-LINK Archer C7 V2.0 (Fix already released)

TP-LINK Archer C8 V1.0 (Fix planned before 2015/05/30)

TP-LINK Archer C9 V1.0 (Fix planned before 2015/05/22)

TP-LINK Archer D2 V1.0 (Fix planned before 2015/05/22)

TP-LINK Archer D5 V1.0 (Fix planned before 2015/05/25)

TP-LINK Archer D7 V1.0 (Fix planned before 2015/05/25)

TP-LINK Archer D7B V1.0 (Fix planned before 2015/05/31)

TP-LINK Archer D9 V1.0 (Fix planned before 2015/05/25)

TP-LINK Archer VR200v V1.0 (Fix already released)

TP-LINK TD-VG3511 V1.0 (End-Of-Life)

TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/31)

TP-LINK TD-W1042ND V1.0 (End-Of-Life)

TP-LINK TD-W1043ND V1.0 (End-Of-Life)

TP-LINK TD-W8968 V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-W8968 V2.0 (Fix planned before 2015/05/30)

TP-LINK TD-W8968 V3.0 (Fix planned before 2015/05/25)

TP-LINK TD-W8970 V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-W8970 V3.0 (Fix already released)

TP-LINK TD-W8970B V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-W8980 V3.0 (Fix planned before 2015/05/25)

TP-LINK TD-W8980B V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-W9980 V1.0 (Fix already released)

TP-LINK TD-W9980B V1.0 (Fix planned before 2015/05/30)

TP-LINK TD-WDR4900 V1.0 (End-Of-Life)

TP-LINK TL-WR1043ND V2.0 (Fix planned before 2015/05/30)

TP-LINK TL-WR1043ND V3.0 (Fix planned before 2015/05/30)

TP-LINK TL-WR1045ND V2.0 (Fix planned before 2015/05/30)

TP-LINK TL-WR3500 V1.0 (Fix planned before 2015/05/22)

TP-LINK TL-WR3600 V1.0 (Fix planned before 2015/05/22)

TP-LINK TL-WR4300 V1.0 (Fix planned before 2015/05/22)

TP-LINK TL-WR842ND V2.0 (Fix planned before 2015/05/30)

TP-LINK TL-WR842ND V1.0 (End-Of-Life)

TP-LINK TX-VG1530(GPON) V1.0 (Fix planned before 2015/05/31)

Trendnet TE100-MFP1 (v1.0R)

Trendnet TEW-632BRP (A1.0R)

Trendnet TEW-632BRP (A1.1R/A1.2R)

Trendnet TEW-632BRP (A1.1R/A1.2R/A1.3R)

Trendnet TEW-634GRU (v1.0R)

Trendnet TEW-652BRP (V1.0R)

Trendnet TEW-673GRU (v1.0R)

Trendnet TEW-811DRU (v1.0R)

Trendnet TEW-812DRU (v1.0R)

Trendnet TEW-812DRU (v2.xR)

Trendnet TEW-813DRU (v1.0R)

Trendnet TEW-818DRU (v1.0R)

Trendnet TEW-823DRU (v1.0R)

Trendnet TEW-MFP1 (v1.0R)

Zyxel NBG-419N v2

Zyxel NBG4615 v2

Zyxel NBG5615

Zyxel NBG5715

Based on information embedded in KCodes drivers we believe the following

vendors are affected:

Allnet

Ambir Technology

AMIT

Asante

Atlantis

Corega

Digitus

D-Link

EDIMAX

Encore Electronics

Engenius

Etop

Hardlink

Hawking

IOGEAR

LevelOne

Longshine

NETGEAR

PCI

PROLiNK

Sitecom

Taifa

TP-LINK

TRENDnet

Western Digital

ZyXEL

Vendor contact timeline:

------------------------

2015-02-28: Contacting vendor through support@kcodes.com

2015-03-04: No response, contacting various KCodes addresses found on the web.

2015-03-05: Vendor responds, requests more information.

2015-03-05: Providing advisory and proof of concept exploit.

2015-03-16: No response, requesting status update.

2015-03-16: Vendor responds, asks about fix verification(?)

2015-03-16: Requesting clarification about fixing status and information about

next steps. Proposing conference call dates.

2015-03-19: No response, informing that notification of CERT/CC and selected

vendors will start shortly. Requesting clarification about fixing

status and information about next steps again.

2015-03-19: Vendor responds, confirms conference call date (2015-03-25). No

further information provided.

2015-03-19: Providing advisory and proof of concept exploit to TP-LINK and

NETGEAR.

2015-03-25: Vendor cancels conference call on short notice (sudden week-long

business trip).

2015-03-26: Asking for support of CERT/CC regarding vendor coordination.

2015-03 - 2015-05: Coordination between CERT & vendors, NETGEAR and TP-LINK

2015-05-13: Notifying German CERT-Bund and Austrian CERT.at

2015-05-19: Coordinated release of security advisory

Solution:

---------

TP-LINK has started releasing fixed firmware. The status of affected products

can be found in the affected product list above.

For additional information also see CERT/CC vulnerability notice:

www.kb.cert.org/vuls/id/177092

Workaround:

-----------

Sometimes NetUSB can be disabled via the web interface, but at least on NETGEAR

devices this does not mitigate the vulnerability. NETGEAR told us, that there is

no workaround available, the TCP port can't be firewalled nor is there a way to

disable the service on their devices.

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF Stefan Viehböck / @2015