Saturday, January 7, 2012

Vulnerable Weekends #7

Vulnerability Report #7: Iptools rcmd Denial of Service Vulnerability

Vulnerable Product: Installations of Iptools with version 0.1.4


CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE

Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL
Base Score: 5

Exploitability: PROOF-OF-CONCEPT
Remediation Level: WORKAROUND
Report Confidence: UNCORROBORATED
Temporal Score: 4.1

Iptools is a popular set of tiny TCP/IP utilities implemented as Perl scripts, that include a minimalist webserver, a remote command server on the lines of Telnet, a TFTP server/client, SNMP browser, etc. The toolset has been reported to be vulnerable to a denial of service (DoS) vulnerability, specifically within its remote command server script, rcmd.

The vulnerable utility receives user-supplied input through its listening port, TCP/23, which is then tested against a set of weak sanitization checks. This input is used as a placeholder for the EXPR parameter used by the internal chdir function which parses it as a filename reference. Since this parameter could reference a string of an unbounded length, the directory change operation could generate an untrappable exception. This flaw could make the vulnerable utility unstable, effectively terminating the Perl interpreter abnormally, leading to the DoS condition. The following code snippet depicts where the vulnerability could have been introduced within the rcmd script:

print NS "$curdir> ";
while (<NS>) {
  print "Client request : ";
  CASE: {
      /cd / && do { $dir=$'; $dir=~s/\015\012//; print $dir if $debug;
                    chdir "$dir" || print NS "Invalid directory\015\012"  ; last CASE; };
      /^(\b)*(.:)/ && do { $drive=$2; ; print "driver:[$drive]" if $debug;
                    chdir "$drive" || print NS "Invalid drive\015\012"  ; last CASE; };

An official confirmation and software updates are currently unavailable. Users are requested to avoid using the vulnerable utility until official fixes are released. For a workaround, users could consider introducing restrictive firewall policies that prohibit unnecessary access to the vulnerable script from an unauthorized source.

Vulnerability Sources:

Generic Sources:

No comments:

Post a Comment

Thanks for reading! I would appreciate if you could leave your comments as well.