Portcullis Security Advisory 06-058


Vulnerable System:

ImgSvr.


Vulnerability Title:

The ImgSvr is vulnerable to a stack overflow.


Vulnerability discovery and development:

Portcullis Security Testing Services.  Further research was then carried out by Tim Brown and 
Neil Kettle. 


Credit for Discovery:

Tim Brown and Neil Kettle of Portcullis Computer Security Ltd.


Affected systems:

All known versions of ImgSvr.


Details:

Following the Bugtraq posting "imgsvr dos exploit by n00b" which described a
remote Denial of Service of the Windows version of ImgSvr, research was carried out which
indicated that the Linux version was also vulnerable to the same attack
although, significantly more input was required.

Through further research, it was then identified that the same remote Denial of 
Service could also be caused by passing a large value to the template parameter as
follows:

GET /?template=<large value> HTTP/1.0

In both cases this led to ImgSvr failing within the internal ADA function 
system__file_io__open.  Due to the way the Linux implementation of the GNU ADA
compiler works to protect against stack overflows, a secondary stack of $ebp,
$eip and $esp is maintained above the primary stack.  When our request causes
system__file_io__open to fail, an exception is caught by the exception handler
which uses the values of the secondary stack in an attempt to handle the
exception in a graceful manner.  However, because we have smashed through into
the $ebp and $eip values on the secondary stack, we can influence further code
execution.

Impact:

An attacker could cause a Denial of Service or execute arbitrary code.
In addition, it is believed that variants of this vulnerability may exist in
other products.  ImgSvr uses AWS, a generic web server implemented in ADA
which is likely to have been used in other products.  In addition, the flaw
in the secondary stack implementation can be attributed to the GNU ADA compiler
and is not unique to ImgSvr.

Exploit:

The proof of concept exploit code is available.

Vendor Status:

Contacted frett27@userssourceforge.net and p.orbry@wanadoo.fr


e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties, implied or otherwise, with regard to this information or its 
use. Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.