|
|
|
|
| |
Credit:
The information has been provided by Andres Lopez Luksenberg.
The original article can be found at: http://www.coresecurity.com/content/libsmi-smigetnode-buffer-overflow
|
| |
Vulnerable Systems:
* LibSMI 0.4.8
Immune Systems:
* LibSMI 0.4.8 patched
The smiGetNode function returns a SmiNode struct given the name of a OID as a char * in both either numeric (i.e. "1.3.6.1.2.1.4.17") or human readable format (i.e. "ipForwarding"). This function uses a static array of 128 elements of type unsigned int to hold the OID in numeric format:
...
SmiSubid oid[128];
...
Note that SmiSubid is a typedef of unsigned int.
This array is populated by a loop that calls strtok and then subsecuently strtoul in the case that the OID supplied as a char * was in the form of subsecuent numbers separated by a period.
...
if (isdigit((int)node2[0])) {
for (oidlen = 0, p = strtok(node2, ". "); p;
oidlen++, p = strtok(NULL, ". ")) {
oid[oidlen] = strtoul(p, NULL, 0);
}
}
...
That loop clearly overwrites past oid boundaries when the string contained in node2 has more that 128 dots ("."). This constitutes a classical overflow that can likely be leveraged into arbitrary code execution reliably.
To verify if the version on libsmi installed on a unix based system is vulnerable, the code example (smisubtree) from man libsmi can be used. This programs calls smiGetNode in the following way in line 17:
...
for((smiNode = smiGetNode(NULL, argv[1])) &&}
...
The program crashes when called via commandline with an OID with more than 128 numeric tokens, like the OID outputed by the following Python script:
...
#!/usr/bin/python
# run ./smisubtree `./libsmicrash.py`
if __name__ == "__main__":
s = ""
for i in xrange(158):
s = s + "1."
print s}
...
CVE Information:
CVE-2010-2891
Disclosure Timeline:
2010-09-06: Vincent Bernat, the Debian Package Maintainer for libsmi is contacted.
2010-10-20: Advisory CORE-2010-0819 is released.
|
|
|
|
|
