SBLIM-SFCB Multiple Buffer Overflows

critical Nessus Plugin ID 46802

Synopsis

The application is affected by multiple buffer overflow vulnerabilities.

Description

The web server component of SBLIM-SFCB that is listening on the remote host contains multiple heap-based buffer overflows that can be triggered by sending an HTTP request with a specially crafted Content-Length header. Specifically :

- There is a particular scenario where heap corruption can exist if httpMaxContentLength in sfcb.cfg is set to 0 and the Content-Length of a request is 4294967290, getPayload() will try to memcpy() into an incorrectly sized buffer due to wrap around (we add 8 to Content-Length in the malloc). Also, sfcb.cfg states that the default value for httpMaxContentLength _is_ 0, which is untrue.

- httpAdapter contains a heap overflow that is caused by an HTTP request with the Content-Length value being smaller than the actual size of the payload. The affect of this bug can cause the handling HTTP process to crash. If the request is specially crafted, arbitrary code execution could occur.

Successful exploit of these vulnerabilities may result in a server crash or execution of arbitrary code in the context of the server.

Solution

Upgrade to version 1.3.8

See Also

http://www.nessus.org/u?149a07e1

http://www.nessus.org/u?8729b62f

Plugin Details

Severity: Critical

ID: 46802

File Name: sblim_sfcb_1_3_8.nasl

Version: 1.8

Type: remote

Family: Web Servers

Published: 6/7/2010

Updated: 7/27/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/25/2010

Vulnerability Publication Date: 5/14/2010

Reference Information

CVE: CVE-2010-1937, CVE-2010-2054

BID: 40475