WatchGuard FireBox Vclass/RSSA Login Format Strings

2002-09-27T00:00:00
ID OSVDB:4924
Type osvdb
Reporter Joao Gouveia(tharbad@kaotik.org)
Modified 2002-09-27T00:00:00

Description

Vulnerability Description

A remote format strings vulnerability exists in Watchguard RapidStream and Firebox products. The RapidStream and Firebox appliances fail to validate user suplied input uppon the login process resulting in a format strings issue on the binary that handles authentication. With a specially crafted request, an attacker can cause the appliance to execute arbitrary code resulting in a loss of integrity, and/or availability.

Technical Description

The RapidStream login procedure works as follows:

  • Hacked openssh binary receives authentication parameters from client, not doing any authentication, rather than confirming that the username used is "rsadmin".

  • The password passed on the SSH login is sent as a parameter to the CLI wrapper (/bin/cli)

  • The CLI wrapper passes the parameters to the CLI binary, wich proceeds with the authentication, by launching "/bin/.cli -p <password>"

The CLI binary suffers from a format strings vulnerability on the password parameter.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Rapid Response Team has released RS-302-HotFix-31 for 3.02 SP2 and Hotfix 2 for 3.2 SP1a to address this vulnerability.

Short Description

A remote format strings vulnerability exists in Watchguard RapidStream and Firebox products. The RapidStream and Firebox appliances fail to validate user suplied input uppon the login process resulting in a format strings issue on the binary that handles authentication. With a specially crafted request, an attacker can cause the appliance to execute arbitrary code resulting in a loss of integrity, and/or availability.

References:

Vendor URL: http://www.watchguard.com Vendor Specific Solution URL: ftp://RSSA:RS_s0ftware@ftp.watchguard.com/RSSA_302/RSSA-302-HotFix-31/RS-302-HotFix-31-readme.txt Vendor Specific Advisory URL ISS X-Force ID: 10217 Generic Informational URL: http://watchguard.com/vars/rssa.asp Generic Informational URL: http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html CVE-2002-1519 Bugtraq ID: 5814