The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN.
wvu-r7 at July 31, 2020 3:50pm UTC reported:
The web functionality is implemented in the x86
Using the Claroty report and a hunch, I decided to test the
Content-Length header for negative values:
> The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client.
IMPROPER NEUTRALIZATION OF NULL BYTE OR NULL CHARACTER CWE-158
An attacker can send a negative value and overwrite arbitrary data.
/admin page, setting
Content-Length to a large negative value yielded a segfault in the
[30665.430945] gm_server: segfault at 56e35df1 ip 00000000566c0816 sp 00000000ffcb6bf0 error 6 in gm_server[565cf000+175000] [30665.430952] Code: e8 e8 ee f4 ff ff 89 c7 e9 61 fe ff ff 8d b4 26 00 00 00 00 8b 95 60 02 00 00 85 d2 0f 84 93 00 00 00 8b 85 68 02 00 00 31 ff <c6> 04 02 00 8b 45 14 83 f8 02 0f 84 34 fe ff ff 0f 82 84 02 00 00
Note that a watchdog restarts the process when it crashes.
For GateManager 8250 on Linux, the
gm_server binary has NX and PIE enabled. The embedded 4260 and 9250 models have only NX:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 0 22 gm_server.unpatched
Exploitability of the embedded models seems high, given that PIE isn’t enabled. NX and system ASLR can be bypassed with ROP.
Assessed Attacker Value: 5
Assessed Attacker Value: 3