Centennial Software XFERWAN Stack Overflow VulnerabilityTPTI-07-10: June 4th, 2007
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5231. For further product information on the TippingPoint IPS:
Vulnerability DetailsThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing the Centennial Software XFERWAN component. Authentication is not required to exploit this vulnerability.
The specific flaw exists during the parsing of overly long requests to the XFERWAN component. When logging requests, user-supplied data is copied to the stack resulting in an exploitable buffer overflow condition. The following disassembly excerpt from the logging function demonstrates the issue:
004047A0 mov cl, Filename[eax]
004047A6 mov [esp+eax+890h+ExistingFileName], cl
004047AD inc eax
004047AE test cl, cl
004047B0 jnz short loc_4047A0
A lack of sanity checking on the size of 'Filename' results in an exploitable stack-based buffer overflow vulnerability that can result in a system compromise running under the context of the SYSTEM user.
Centennial Software states: Centennial has rectified an issue in the XFERWAN component of Centennial Discovery which could be remotely exploited by malicious people to compromise a system. Customers can find instructions on how to identify if they are susceptible to the vulnerability and correct, if necessary on the Centennial Customer Support website.
2007-03-07 - Vulnerability reported to vendor
2007-06-04 - Coordinated public release of advisory