eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities |
DESCRIPTION
These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise
Security Analyzer. Authentication is not required to exploit these vulnerabilities.
The first flaw specifically exists within the routines responsible for handling user-supplied data on TCP port 9999 within
Monitoring.exe. Upon connecting to this port the user is immediately prompted for a password. A custom string comparison
loop is used to validate the supplied password against the hard-coded value "eiq2esa?", where the question mark represents
any alpha-numeric character. Issuing the command "HELP" reveals a number of documented commands:
-------------------------------------------------------
Usage:
QUERYMONITOR: to fetch events for a particular monitor
QUERYMONITOR&&&timer
QUERYEVENTCOUNT or QEC: to get latest event counts
RESETEVENTCOUNT or REC: to reset event counts
REC&[ALL] or REC&dev1,dev2,
STATUS: Display the running status of all the threads
TRACE: TRACE&ip or hostname&. TRACE&OFF& will turn
off the trace
FLUSH: reset monitors as though the hour has changed
ALRT-OFF and ALRT-ON: toggle the life of alerts-thread.
RECV-OFF and RECV-ON: toggle the life of event-
collection thread.
EM-OFF and EM-ON toggle event manager
DMON-OFF and DMON-ON toggle device event monitoring
HMON-OFF and HMON-ON toggle host event monitoring
NFMON-OFF and NFMON-ON toggle netflow event monitoring
HPMON-OFF and HPMON-ON toggle host perf monitoring
X or EXIT: to close the session
-------------------------------------------------------
Supplying a long string to the TRACE command results in an overflow of the global variable at 0x004B1788. A neighboring
global variable, 116 bytes after the overflowed variable, contains a file output stream pointer that is written to every 30
seconds by a garbage collection thread. The log message can be influenced and therefore this is a valid exploit vector,
albeit complicated. A trivial exploit vector exists within the parsing of the actual command at the following equivalent API
call:
sscanf(socket_data,
"%[^&]&%[^&]&",
60_byte_stack_var,
global_var);
Because no explicit check is made for the exact command "TRACE", an attacker can abuse this call to sscanf by passing a long
suffix to the TRACE command that is free of the field terminating character, '&'. This vector is trivial to exploit.
The second flaw specifically exists within the routines responsible for handling user-supplied data on TCP port 10626 within
Monitoring.exe. The service will accept up to approximately 16K of data from unauthenticated clients which is later parsed,
in a similar fashion to above, in search of the delimiting character '&'. Various trivial vectors of exploitation exist, for
example, through the QUERYMONITOR command.
TippingPoint Advisory
|