关联漏洞
标题:
多款Cisco产品缓冲区错误漏洞
(CVE-2019-1663)
描述:Cisco RV110W Wireless-N VPN Firewall等都是美国思科(Cisco)公司的一款企业级路由器。 Cisco?RV110W Wireless-N VPN Firewall、RV130W Wireless-N Multifunction VPN Router和RV215W Wireless-N VPN Router中基于Web的管理界面存在缓冲区错误漏洞,该漏洞源于程序没有正确地验证用户提交的数据。远程攻击者可通过发送恶意的HTTP请求利用该漏洞在底层操作系统上执行任意代码。
介绍
# Binary Analysis of CVE-2019-1663
**Author:** [Corentin Wolff](https://github.com/WolffCorentin)
---
## Origin of the Vulnerability
### Source of the Vulnerability
The vulnerability originates from the function `0x0002BF64`, which misuses the `strcpy` function, making it prone to buffer overflow attacks. For clarity, this function has been renamed to `Login`. Below is a snippet illustrating the issue:
```c
undefined4 Login(char *param_1, char *param_2, char *param_3, int param_4) { ... }
```
In this snippet, the strcpy function is improperly used, causing a buffer overflow vulnerability:
```c
if (param_4 == 0) {
iVar2 = strncmp(acStack_fa, "enc=", 4);
if (iVar2 != 0) {
strcpy(acStack_15e, acStack_fa);
strcpy(acStack_1c2, param_2);
goto LAB_0002c264;
}
}
```
### Username Identification
This part of the code checks the username:
```c
if (iVar2 != 0) {
syslog(6, "Web management login failed, user=%s\n", param_1);
}
```
The parameter param_1 is identified as the username field.
### Password Verification
Similarly, param_2 corresponds to the password, while param_3 is identified as httpd_user.
### Login Flags
The login_flag variable represents connection states:
```c
0 → Login error
1 → Admin login successful
2 → Admin login denied due to an existing session
3 → Admin login forcing logout
```
# Type of Vulnerability
### Buffer Overflow and strcpy
The vulnerability is a Buffer Overflow caused by improper use of the strcpy function.
#### How strcpy Fails
The strcpy function does not check the source string's size against the destination buffer’s capacity.
This allows adjacent memory regions to be overwritten.
#### Exploitation Context
CVE-2019-1663 exploits the lack of input size validation in certain Cisco router models.
### Steps of Exploitation
```
a. No Length Check: Unsanitized user input is passed to strcpy.
b. Memory Overflow: Excess data overwrites critical memory regions.
c. Arbitrary Code Execution: Attackers inject and execute malicious code.
d. Exploitation Requirements: Access to the router's web configuration server.
e. Impact: Privileged access, enabling network espionage, traffic redirection, malware installation, or backdoors.
```
# Remote Exploitation of the Vulnerability
1. Conditions for Remote Exploitation
Exploitation requires access to the router's web configuration server. If the server is not exposed to the WAN, exploitation is limited to LAN access.
2. Attack Procedure
Once access is obtained, the attacker intercepts and modifies a request, appending a malicious payload such as:
```
&enc=1&user=cisco&pwd=AAAA...AAAAZZZZ&sel_lang=EN
```
This triggers a segmentation fault. By determining the optimal buffer size, attackers can inject and execute malicious code.
# Bibliography
1. **MITRE CWE-120: Buffer Copy without Checking Size of Input**
[https://cwe.mitre.org/data/definitions/120.html](https://cwe.mitre.org/data/definitions/120.html)
2. **MITRE CWE-787: Out-of-bounds Write**
[https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)
3. **OWASP Buffer Overflow Overview**
[https://owasp.org/www-community/vulnerabilities/Buffer_Overflow](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow)
4. **"Buffer Overflow" on Microsoft Learn**
[https://learn.microsoft.com/en-us/cpp/security/security-best-practices-for-c-cpp](https://learn.microsoft.com/en-us/cpp/security/security-best-practices-for-c-cpp)
5. **CERT Secure Coding Standards - STR31-C**
[https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)
6. **Exploiting CVE-2019-1663 - Write Up by Quentin Kaiser**
[https://quentinkaiser.be/exploitdev/2019/08/30/exploit-cve-2019-1663](https://quentinkaiser.be/exploitdev/2019/08/30/exploit-cve-2019-1663)
文件快照
[4.0K] /data/pocs/b38cbc8a619f503e4b3fb2c9ef43417ac2b1c0b7
├── [272K] Analyse de binaire.pdf
└── [4.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。