TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

Centennial Software XFERWAN Stack Overflow Vulnerability

TPTI-07-10: June 4th, 2007

CVE ID

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5231. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing the Centennial Software XFERWAN component. Authentication is not required to exploit this vulnerability.

The specific flaw exists during the parsing of overly long requests to the XFERWAN component. When logging requests, user-supplied data is copied to the stack resulting in an exploitable buffer overflow condition. The following disassembly excerpt from the logging function demonstrates the issue:

004047A0 mov cl, Filename[eax]
004047A6 mov [esp+eax+890h+ExistingFileName], cl
004047AD inc eax
004047AE test cl, cl
004047B0 jnz short loc_4047A0

A lack of sanity checking on the size of 'Filename' results in an exploitable stack-based buffer overflow vulnerability that can result in a system compromise running under the context of the SYSTEM user.

Vendor Response


Centennial Software states: Centennial has rectified an issue in the XFERWAN component of Centennial Discovery which could be remotely exploited by malicious people to compromise a system. Customers can find instructions on how to identify if they are susceptible to the vulnerability and correct, if necessary on the Centennial Customer Support website.

Disclosure Timeline

    2007-03-07 - Vulnerability reported to vendor
    2007-06-04 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: