(CVE-2019-13494) SNMPc Enterprise Edition 9 & 10 Stack Based Buffer Overflow

Background:

On the 27th May 2019 I discovered a number of stack based buffer overflows in Castle Rock Computing’s SNMPc Enterprise Edition 9 & 10. Exploitation of the these vulnerabilities allows an attacker to execute arbitrary code on the targeted system/s.

Castle Rock Computing’s (CRC) SNMPc Enterprise 10 “is a secure distributed Network Management System which delivers proactive real-time monitoring for your entire network infrastructure. Advanced product features and legendary ease of use have led to over 120,000 network managers trusting SNMPc to monitor their mission critical networks“. Further information about the company and product can be found at the following URL: https://www.castlerock.com/products/snmpc/

Vulnerable versions of CRC’s SNMPc Enterprise 9 & 10 software contain a number of stack-based buffer overflow conditions where the overwritten buffer is allocated on the stack. An attacker may leverage this vulnerability to execute arbitrary code on the targeted system/s under the context of the user.

Customers using CRC’s SNMPc Enterprise 9 or 10 software are strongly advised to address these vulnerabilities by upgrading to either SNMPc v10.0.9 or SNMPc v9.0.12.1 available from Castle Rock Computing’s website: https://www.castlerock.com/

Exploit difficulty:

An attacker must have low privileged authenticated access to the local target system in order to exploit this vulnerability, or have the ability to social engineer the user in order to accept the malformed Map Objects text file.

An attacker who successfully exploits the stack-based buffer overflow vulnerabilities can execute arbitrary code on the target system with the same privilege rights and context of the user running the process.

Disclosure Timeline:

27 May 2019
– Stack-based buffer overflows discovered. Further testing commenced.

07 June 2019
– Emailed Castle Rock Computing (CRC) requesting an email address to disclose vulnerabilities.
– CRC created an incident number (CRC285149) and provided requested details

10 June 2019
– Vulnerability disclosed to CRC. 45 day disclosure time frame allocated (25 July 2019 public disclosure date).
– CRC acknowledged receipt of disclosure email

11 June 2019
– CRC engineers released patch for vulnerable binaries
– Retested patched binaries and confirmed with CRC that stack-based buffer overflow vulnerabilities have been fixed

12 June 2019
– CRC advised software build 10.0.9 is scheduled for release around July 8th

2 July 2019
– CRC advised path date of July 8th still planned
– Mutual agreement that CVE-ID will be requested by myself from Mitre once CRC confirm date

10 July 2019
– CRC have advised that patch now available on their website
– CVE-ID requested

11 July 2019
– CVE-2019-13494 allocated by Mitre
– Public disclosure of vulnerability

Details:

Product: SNMPc Enterprise
Version: Latest version 9 & 10 and prior
Vendor: Castle Rock Computing
CVE-ID: CVE-2019-13494
CWE-ID: CWE-121 Stack-based Buffer Overflow

A number of program executables have been individually tested and can be successfully exploited when overwriting the buffer in the vulnerable version of CRC’s SNMPc Enterprise 10.

The nodeimp.exe executable is called when a user imports Map Objects from a text file within the SNMPc Management Console (SNMPc Management Console: File > Import > Map Objects From Text File). This executable is vulnerable to stack-based buffer overflow when the imported map text file contains an overly large string in variables within the text file.

Example map text file:

The following executables are vulnerable to the stack-based buffer overflow via the command line when supplying an overly large string to the address, user, or pass variable arguments:

grpadd.exe
grpnext.exe
mapattr.exe
mapfind.exe
mapnext.exe
rptadd.exe
rptattr.exe
rptnext.exe
snmpget.exe
snmpset.exe
snmptest.exe

Example:

The polldump.exe executable is vulnerable to the stack-based buffer overflow via the command line when supplying an overly large string as the poller argument.

Example:

Proof of Concept:

The following proof of concept python code will create the evil Map Objects Import file which can then be imported into SNMPc to trigger the buffer overflow in the nodeimp.exe process and execute calc.exe as a POC exploit.