SSD安全公告-QNAP QTS未经认证的远程代码执行漏洞

Credit to Author: SSD / Maor Schwartz| Date: Mon, 18 Dec 2017 08:04:57 +0000

漏洞概要 以下安全公告描述了QNAP QTS的一个内存损坏漏洞,成功利用该漏洞会造成QNAP QTS 4.3.x和4.2.x版本(包括4.3.3.0299)未经验证的远程代码执行。 威联通科技(QNAP Systems, Inc)专注于为企业,中小型企业,SOHO和家庭用户提供文件共享,虚拟化,存储管理和监控应用的网络解决方案。 QNAP QTS是标准的智能NAS操作系统,支持所有文件共享,存储,备份,虚拟化和多媒体QNAP设备。 漏洞提交者 一位安全研究者TRUEL IT(@truel_it)向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 QNAP已被告知该漏洞,并回复:“我们已经确认这个问题与最近的另一份报告相同,并已经发布了CVE-2017-17033。 尽管这份报告是重复的,但我们仍然会在即将发布的安全公告中对两位报送者表示感谢。 同时,在即将发布的QTS 4.2.6和4.3.3版本中将修复该漏洞。” CVE: CVE-2017-17033 漏洞详细信息 由于缺乏适当的边界检查,可以通过特制的HTTP请求溢出堆栈缓冲区并劫持控制流以实现任意代码执行。 authLogin.cgi负责显示来自Web界面的系统信息,并且包含在用户提供的输入进行无限制的sprintf调用中。 authLogin.cgi二进制文件,位于QTS文件系统的/home/httpd/cgibin/目录中,可通过请求端点/cgi-bin/sysinfoReq.cgi进行访问。 该二进制文件是QTS的一部分,并充当几个功能的包装器。 易受攻击的调用位于handle_qpkg()(0x1C680)函数中,该函数由handle_sysInfoReq()(0x1D398)调用,以显示当前系统信息(型号名称,固件版本,ecc)。 [crayon-5a383ee2c6288334669193/] 通过向sysinfoReq.cgi发送一个HTTP请求,handle_sysInfoReq()(0x1D398)函数被触发,并且根据提供的参数,可以处理不同的进程步骤。 [crayon-5a383ee2c628f233726429/] 如果提供了qpkg HTTP参数,则调用handle_qpkg()(0x1C680)函数。 [crayon-5a383ee2c6292299287155/] handle_qpkg()函数不会验证用户提供的lang HTTP参数值。 正如上面的代码路径所示,未经身份验证的攻击者可以为所述参数提供任意大小的值,然后通过sprintf()函数调用将其连接到静态大小(堆栈)缓冲区上的现有字符串。 漏洞证明 通过发送以下POST请求,我们将使堆栈溢出并用XXXX覆盖qpkg_all_info缓冲区的值,并用YYYY覆盖handle_qpkg()参数返回地址的值,从而造成崩溃。 [crayon-5a383ee2c6295336007302/] 产生以下崩溃: [crayon-5a383ee2c629a114636077/]

Read more

SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow

Credit to Author: SSD / Maor Schwartz| Date: Sun, 17 Dec 2017 07:24:49 +0000

Vulnerability Summary The following advisory describes a buffer overflow found in Huawei P8 Lite ALE-21 HI621sft, operating system versions EMUI 3.1 – wkupccpu debugfs driver. Huawei Technologies Co. Ltd. is “a multinational networking and telecommunications equipment and services company, it is the largest telecommunications equipment manufacturer in the world and the second largest smartphone manufacturer … Continue reading SSD Advisory – Huawei P8 wkupccpu debugfs Kernel Buffer Overflow

Read more

SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 10:16:42 +0000

Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. is “a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, … Continue reading SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

Read more

SSD Advisory – Dasan Unauthenticated Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That … Continue reading SSD Advisory – Dasan Unauthenticated Remote Code Execution

Read more

SSD Advisory – Iceni Infix Multiple Crashes

Credit to Author: SSD / Maor Schwartz| Date: Tue, 13 Jun 2017 11:18:28 +0000

Crashes Summary An independent security researcher has reported 36 different crashes in Iceni Infix. We decided to publish 1 sample out of the 36 crashes – if you want to get the remaining 35 crashes, please contact us via email ssd [at] beyondsecurity (dot) com. “Infix PDF Editor and Infix PDF Editor Pro is popular … Continue reading SSD Advisory – Iceni Infix Multiple Crashes

Read more

SSD Advisory – HPE Intelligent Management Center (iMC) Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Fri, 02 Jun 2017 07:59:35 +0000

Vulnerability Summary The following advisory describes a Stack Buffer Overflow vulnerability found in HPE Intelligent Management Center version v7.2 (E0403P10) Enterprise, this vulnerability leads to an exploitable remote code execution. HPE Intelligent Management Center (iMC) delivers comprehensive management across campus core and data center networks. iMC converts meaningless network data to actionable information to keep … Continue reading SSD Advisory – HPE Intelligent Management Center (iMC) Code Execution

Read more

SSD Advisory – Bitdefender Code Signing organizationName Buffer Overflow

Credit to Author: SSD / Maor Schwartz| Date: Thu, 18 May 2017 05:34:17 +0000

Vulnerability Summary The following advisory describes a Buffer Overflow vulnerability found in Bitdefender Engine PE. Bitdefender provides the Bitdefender “antimalware” engine for integration with other security vendors products. The engine is used in Bitdefender’s own products, for example in Bitdefender Internet Security 2017 and below. The antimalware engine is the core of the product, among … Continue reading SSD Advisory – Bitdefender Code Signing organizationName Buffer Overflow

Read more

SSD Advisory – Linksys PPPoE Multiple Vulnerabilities

Credit to Author: Maor Schwartz| Date: Wed, 19 Apr 2017 13:52:33 +0000

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Linksys EA, XAC and AC series devices. The vulnerabilities has been found in the way the Linksys devices (EA, XAC and AC series) handle the Point-to-point protocol over Ethernet (PPPoE) Discovery (PPPoED) process allowing an unprivileged active attacker on the same network segment (layer2) … Continue reading SSD Advisory – Linksys PPPoE Multiple Vulnerabilities

Read more