[ Docs | Tools | Advisories | Full-Disclosure ]
HP Radia Notify Daemon: Multiple Buffer Overflow Vulnerabilities John Cartwright <johnc@grok.org.uk> 1st June 2005 Introduction ------------ Hewlett-Packard's (formerly Novadigm) Radia contains a component known as the Radia Notify Daemon. This RADEXECD component is a small server process that listens for commands via a TCP socket and executes them on behalf of an administrator or other Radia process. A total of three remotely-exploitable overflows have been found in various versions of this software. Overview -------- The 'nvd_exec' function contains two remotely-exploitable stack-based overflows in version 3.1.2.0. The vulnerability occurs when a crafted command is sent to a RADEXECD process with parameters of a greater length than the buffer used to store them via an unbounded strcpy operation. In a typical configuration this vulnerability may be exploited remotely by an unauthenticated attacker to gain the privileges of the RADEXECD component, observed to be NT_AUTHORITY\SYSTEM during testing. In addition, the earlier version of 3.1.0.0 has a similar flaw involving a malformed file extension. This bug was reported via development contacts to Novadigm (pre-HP) approximately 12 months ago but the status and availability of the fix was unknown at the time of writing. Analysis -------- The nvd_exec (as labelled in disassembly from embedded 'comments') function is designed as a wrapper to the Windows CreateProcess API call. Upon validation of its arguments, nvd_exec creates the relevant StartupInfo structures, executes the target process, and waits for it to terminate. This function accepts five parameters, beginning with the application name to execute and its parameters. Although generic restrictions on string lengths exist in the protocol definition (see below), there is no specific check for an overly-long parameter string at this stage in execution. A stack-based parameter buffer of approximately 512 characters is used to store this information during parsing, which can be overrun by one of two unbounded strcpy calls inside nvd_exec: .text:00406193 mov ecx, [ebp+arg_params] ; attacker-supplied .text:00406196 push ecx ; char * .text:00406197 lea edx [ebp+parambuf] ; actually 516 chars .text:0040619D push edx ; char * .text:0040619E call _strcpy ; overflow here The second instance has the same bug: .text:004061AE mov ecx, [ebp+arg_params] ; attacker-supplied .text:004061B1 push ecx ; char * .text:004061B2 lea edx, [ebp+parambuf] ; actually 516 chars .text:004061B8 push edx ; char * .text:004061B9 call _strcpy ; overflow here Due to the positioning of the stack variables it is possible to overwrite the return address of the function by overflowing the buffer: FFFFFDF0 parambuf db 516 dup(?) ; buffer to overflow FFFFFFF4 rc dd ; FFFFFFFC pBuf dd ; 00000000 s db 4 dup(?) ; saved stack ptr 00000004 r db 4 dup(?) ; return address 00000008 arg_app dd ? ; application name 00000008 arg_params dd ? ; parameter information By default, nvd_exec can be accessed by unauthenticated users by crafting an appropriate request and submitting it to the RADEXECD port. The older version of this software is vulnerable to a sprintf-based overflow caused by poor error handling logic: in this instance it is the extension of the command variable which causes the problem: .text:00405B46 cmp [ebp+ext_ptr], 0 ; have we found the '.' ? .text:00405B4D jz short loc_405B9F ; no extension (safe) .text:00405B4F mov edx, [ebp+ext_ptr] ; .text:00405B55 push edx ; char * .text:00405B56 call _strlen ; calc extension length .text:00405B5B add esp, 4 ; .text:00405B5E cmp eax, 4 ; should be 4 eg '.foo' .text:00405B61 jz short local_405B9F ; OK, continue .text:00405B63 mov eax, [ebp+arg_app] ; the *complete* argument .text:00405B66 push eax ; .text:00405B67 push offset aFileExtMsg ; "File extension ... %s" .text:00405B6C lea ecx, [ebp+buffer] ; fixed size buffer .text:00405B72 push ecx ; .text:00405B73 call _sprintf ; overflow here Therefore supplying a string of the form ".AAAAAAAAAAAAAA..." is sufficient to overflow this fixed-size buffer. Exploitation ------------ Exploitation requires that the following steps be followed: 1) Attacker connects to RADEXECD port on target host 2) Attacker sends crafted remote execution request 3) Target host connects back to callback port on attacker 4) Target overflows buffer and executes shellcode In order to craft a remote execution request, the protocol must be analysed. RADEXECD employs a text-based protocol with requests taking the form of: <callback port>\0<username>\0<password>\0<command>\0 (where \0 is a NULL delimiter/terminator). <callback port> is an attacker-supplied port which must be ready to accept incoming connections. Testing has not revealed the purpose of this port, and no data has been observed to travel over the connection once established. Therefore from an exploitation point of view, it is sufficient to place a netcat listener or similar on this port. <username> and <password> are only checked if the corresponding global configuration has specifically enabled security. Therefore in a typical setup the strings 'user' and 'pass' are sufficient for exploitation purposes. <command> is a NULL-terminated ASCII string that contains the actual command to be executed, with parameters. In order to exploit this particular vulnerability, the command itself is not important, but we use this part of the buffer to hold our return address and shellcode. This must contain a '.' character to denote the extension portion of the parameter. So, in summary, a crafted request of this form is sufficient to exploit this vulnerability: <callback port>\0<username>\0<password>\0 "LIST " . (0x90 x <offset>) . <ret_addr> . "." . <shellcode> Shellcode cannot include NULLs, dots, newlines, path components, etc. In the test environment, <offset> was found to be 532 bytes for the strcpy-based overflow and 454 bytes for the sprintf-based one. When successfully overflowed, esp points to the extension component, so <ret_addr> should be the address of a 'jmp esp' or 'call esp' instruction. In a test XPSP1 environment, address 0x77E2EF63 was used ('call esp' from ADVAPI32.DLL.) Workaround ---------- Disabling RADEXECD is impractical as it is essentially a core component of the Radia suite. Access control lists on network devices should be used to filter access to the configured RADEXECD port to mitigate this attack vector until a patch is available. Timeline -------- 3rd May 2005 - Vulnerabilities disclosed to Hewlett Packard. - HP confirm and log as 'SSRT5962 Radia Notify Daemon buffer overflows' 17th May 2005 - HP reports that patches are under development. 1st June 2005 - Co-ordinated release. Notes ----- Versions under test (from .exe version resource) were RADEXECD.EXE 3.1.2.0 (strcpy-based overflow) and 3.1.0.0 (sprintf-based overflow) This advisory will be archived at http://www.grok.org.uk/advisories/radexecd.html