Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

SFCB vulnerabilities
From: Nicolas Grégoire <nicolas.gregoire () agarri fr>
Date: Tue, 01 Jun 2010 22:12:16 +0200

[=] Product overview

SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM
is a set of technologies aimed to monitor and administer (larges) pools
of computing ressources, applications, hardware. It's used by computers
management tools like HP Systems Insight Manager, VMware vSphere or IBM
Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS)
and is used in many Linux distributions and some VMware / Dell products.

[=] Vulnerabilities

* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header

When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.

Vulnerable versions : up to 1.3.7

* CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow
using a forged Content-Length header

If the configuration option "httpMaxContentLength" is explicitly set to
0, SFCB will only check that the Content-Length value is positive and
lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then,
memcpy tries to copy the user-provided POST data in this buffer. By
sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to
overflow a buffer of size 1 to 7.

Vulnerable versions : from 1.3.4 to 1.3.7

[=] Note about VMware products

VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified
version of SFCB (v1.3.3 in ESX 4). However they were tested as non
vulnerable :
- CVE-2010-1937 has been silently patched in WMware products
- CVE-2010-2054 doesn't affect versions lower than 1.3.4
 
[=] Mitigating factors

None :
- SSL authentication isn't used by SFCB
- bugs are triggered before any HTTP-layer credential check
- POST and M-POST are default methods used by WBEM

[=] Vectors

These vulnerabilities can be triggered by default on port TCP/5988
(HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests.

[=] Solution

Upgrade to version 1.3.8

[=] Links

SBLIM SFCB :
http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb
WBEM :
http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management

CVE-2010-1937 : 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937
CVE-2010-2054 : 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054

SFCB bug #3001896 : 
http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784
SFCB bug #3001915 : 
http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784
 

Regards,
Nicolas Grégoire / Agarri

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • SFCB vulnerabilities Nicolas Grégoire (Jun 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault