-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I - TITLE Security advisory: Buffer overflow in Areca CLI, version <= 1.72.250 II - SUMMARY Description: Local buffer overflow vulnerability in Areca CLI allows for arbitrary code execution and eventually privilege escalation Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), http://www.devtarget.org Date: July 22th, 2007 Severity: Medium References: http://www.devtarget.org/areca-advisory-07-2007.txt III - OVERVIEW Areca-CLI (cli32) is a command line interface to query and alter the settings of Areca ARC-xxx SATA RAID controllers. More information about the product can be found online at http://www.areca.com.tw. IV - DETAILS The application "Areca CLI, version <= 1.72.250" (cli32) is prone to a classic buffer overflow vulnerability when a particularly long command-line argument is being passed and the application attempts to copy that argument into a finite buffer. On a Debian 4.0 test system (kernel 2.6.20) for instance an attacker is required to supply more than 520 characters to completely overwrite the EIP register and thus execute arbitrary code. Please notice that besides Linux other platforms (e.g. FreeBSD) might be affected as well (unchecked). V - ANALYSIS The severity of this vulnerability is probably "medium" as it can only be exploited locally and the file cli32 is not set suid root by default. However when being used in combination with software such as Nagios to locally or remotely monitor the status of a RAID controller, many people tend to assign suid root privileges to this file in order to be able to query the status of the controller via a web interface. Consequently in such a sitation, this vulnerability will result in a privilege escalation enabling local users to gain root privileges. VI - EXPLOIT CODE An exploit for this vulnerability has been developed but will not be released to the general public at this time. However developing an exploit for this vulnerability is trivial. VII - WORKAROUND/FIX The vendor confirmed the vulnerability but failed to respond to several emails asking for a concrete timeline to fix the problem. Thus to mitigate the vulnerability, one is advised to ensure the file "cli32" is not set suid root and ask the vendor to develop and supply a patch in the near future. VIII - DISCLOSURE TIMELINE 07. June 2007 - Notified {support,security,info}@areca.com.tw 08. June 2007 - Vulnerability confirmed 11. June 2007 - Response from vendor 16. June 2007 - Contact to vendor (several times), no reply 22. July 2007 - Public disclosure -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGo1TKd8QFWG1Rza8RAq0WAKCHv9ngp+wDJHkkoq6UqOkvsoL5QgCfRe0t Tk/lQgb5LKiSpAP4lGfcXrg= =S6Um -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/