Cisco ASA - WebVPN CIFS Handling Buffer Overflow Vulnerability

🗓️ 16 Feb 2017 00:00:00Reported by Google Security ResearchType

zdt🔗 0day.today👁 40 Views

Cisco ASA WebVPN CIFS Buffer Overflo

Reporter	Title	Published	Views	Family All 12
BDU FSTEC	The vulnerability of the Qualcomm GPU operating system for Linux, allowing a hacker to execute arbitrary code	23 Jun 201700:00	–	bdu_fstec
Circl	CVE-2017-3807	15 Feb 201700:00	–	circl
Cisco	Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability	8 Feb 201716:00	–	cisco
Tenable Nessus	Cisco ASA Clientless SSL VPN Functionality CIFS RCE (cisco-sa-20170208-asa)	16 Feb 201700:00	–	nessus
CNVD	Cisco Adaptive Security Appliance Software Heap Buffer Overflow Vulnerability	17 Feb 201700:00	–	cnvd
CVE	CVE-2017-3807	9 Feb 201717:00	–	cve
Cvelist	CVE-2017-3807	9 Feb 201717:00	–	cvelist
NVD	CVE-2017-3807	9 Feb 201717:59	–	nvd
OpenVAS	Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability (cisco-sa-20170208-asa)	9 Feb 201700:00	–	openvas
OSV	CVE-2017-3807	9 Feb 201717:59	–	osv

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=998
 
The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: https://portal/+webvpn+/CIFS_R/share_server/share_name/file.
 
When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct:
 
http_cifs_context:
  +0x160 char* file_dir
  +0x168 char* file_name
 
These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode:
 
   filename_copy_buf = calloc(1LL, 336LL);
   net_handle[10] = filename_copy_buf;
   if ( filename_copy_buf )
   {
     src_len = _wrap_strlen(filename_from_request);
     if ( filename_from_request[src_len - 1] == ('|') )
     {
       // wrong length (src length)
       strncpy((char *)filename_copy_buf, filename_from_request,
               src_len - 1);
     }
 
In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.
 
There appear to be various other places where the copying is done in an unsafe way:
 
http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer.
 
http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. 
 
Possibly http_add_query_str_from_context. There are probably others that I missed.
 
Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist.
 
Repro:
 
Login to WebVPN portal, navigate to:
 
https://portal/+webvpn+/CIFS_R/server/name/ followed by 500 'A's.
 
("server" and "name" may be passed verbatim)
 
*** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f]
/lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee]
/lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99]
/lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0]
lina(+0x321976a)[0x7fa41a2b276a]
lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83]
lina(resMgrCalloc+0x100)[0x7fa419659410]
lina(calloc+0x94)[0x7fa419589a34]
lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608]
lina(ewsServeFindDocument+0x142)[0x7fa418278192]                                        
lina(ewsServeStart+0x114)[0x7fa4182784a4]                                               
lina(ewsParse+0x19a0)[0x7fa418272cc0]                                                   
lina(ewsRun+0x9c)[0x7fa41826955c]                                                       
lina(emweb_th+0x6ab)[0x7fa418286aeb]
lina(+0xde58ab)[0x7fa417e7e8ab]
 
This was tested on 9.6(2)

#  0day.today [2018-04-14]  #

16 Feb 2017 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.11446