Cisco Ironport WSA telnetd Remote Code Execution Vulnerability

2014-10-24T00:00:00
ID 1337DAY-ID-22784
Type zdt
Reporter Glafkos Charalambous
Modified 2014-10-24T00:00:00

Description

The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code. Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.

                                        
                                            Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability
Vendor: Cisco
Product web page: http://www.cisco.com
Affected version: Cisco Ironport WSA - AsyncOS 8.0.5 for Web build 075
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: CVE-2011-4862
CVSS Score: 7.6
Impact: Unauthenticated Remote Code Execution with elevated privileges
Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).
Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default. 

diff --git a/ChangeLog b/ChangeLog
index dd381d1..f4e4457 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-12-25  Alfred M. Szmidt  <[email protected]>
+
+  * libtelnet/encrypt.c (encrypt_keyid): Make sure that LEN never is
+  greater than MAXKEYLEN.
+
 2011-12-22  Mats Erik Andersson <[email protected]>
 
   * libinetutils/setsig.c (setsig) [HAVE_SIGACTION]: Initialize
diff --git a/libtelnet/encrypt.c b/libtelnet/encrypt.c
index 06827d9..abfa6d4 100644
--- a/libtelnet/encrypt.c
+++ b/libtelnet/encrypt.c
@@ -796,6 +796,9 @@ encrypt_keyid (kp, keyid, len)
   int dir = kp->dir;
   register int ret = 0;
 
+  if (len > MAXKEYLEN)
+    len = MAXKEYLEN;
+
   if (!(ep = (*kp->getcrypt) (*kp->modep)))
     {
       if (len == 0)


Trying 192.168.0.160...
Connected to 192.168.0.160.
Escape character is '^]'.

[+] Exploiting 192.168.0.160, telnetd rulez!
[+] Target OS - FreeBSD 8.2 amd64
[*] Enjoy your shell
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 10:49:50 PDT 2014     [email protected]:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64  amd64

Disclosure Timeline
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
22-10-2014: Public Disclosure

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://www.freebsd.org/security/advisories/FreeBSD-SA-11:08.telnetd.asc
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

#  0day.today [2018-04-14]  #