Synopsis
1) Unauthenticated Remote Heap buffer overflow
A client negotiates a session key with DWRCS.exe by performing a Diffie-Hellman (DH) key exchange. The key exchange is carried out in a message with the following format:
struct MSG_000105b9 { le32 MsgType; // must be 0x000105b9 byte unk[4]; le32 status; // 0 - no error byte msg[4096]; // error msg byte SrvDHPubKey[1024]; le32 SrvDHPubKeyLen; le32 CltDHSharedSecretLen; // length of client-computed DH shared secret le32 CltDHSharedSecretByteSum;// client-computed sum of all bytes in the secret byte CltDHPubKey; le32 CltDHPubKeyLen; le32 SrvDHSharedSecretLen; // length of server-computed DH shared secret le32 SrvDHSharedSecretByteSum;// server-computed sum of all bytes in the secret byte RsaSignature[2048]; // client-generated signature of the shared secret with RSA_SHA512 le32 RsaSignatureLen; byte RsaPubKey[2048]; // client's RSA public key in DER format le32 RsaPubKeyLen; ... }
The server does not perform proper validation on CltDHPubKeyLen, RsaSignatureLen, and RsaPubKeyLen. An unauthenticated remote attacker can cause a heap buffer overflow by specifying a large RsaPubKeyLen:
.text:100034F3 mov edi, [esp+343Ch+var_msg.RsaPubKeyLen] ; attacker-controlled .text:100034FA push edi ; size_t .text:100034FB lea eax, [esp+3440h+var_msg.RsaPubKey] ; attacker-controlled .text:10003502 push eax ; void * .text:10003503 lea ecx, [esi+obj205c.RsaPubKey] ; heap buffer overflow !!! .text:10003509 push ecx ; void * .text:1000350A call _memcpy
Windbg crash dump:
(a98.bd4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - eax=83354b0f ebx=00000000 ecx=1fffe920 edx=00000003 esi=0335a68c edi=01467000 eip=01e335fa esp=03352ac0 ebp=03352ac8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 DWRCRSS!PBE_InitKey+0x3f44a: 01e335fa f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:023> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 03352ac8 01df350f 01461484 03354b10 7fffffff DWRCRSS!PBE_InitKey+0x3f44a *** ERROR: Module load completed but symbols could not be loaded for C:\Windows\dwrcs\DWRCS.EXE 01 03355f64 004d19c2 00ee1168 00000000 7ffae000 DWRCRSS+0x350f 02 0335f8b4 004cddd8 f5cba9f8 00000000 00ef6328 DWRCS+0xd19c2 03 0335fd78 004ceb49 00000000 f5cbabc4 00000000 DWRCS+0xcddd8 04 0335ff44 006a08dd 00f17388 f5cbabfc 00000000 DWRCS+0xceb49 05 0335ff7c 006a0985 00000000 0335ff94 76fcef3c DWRCS+0x2a08dd 06 0335ff88 76fcef3c 00ef6328 0335ffd4 77d83618 DWRCS+0x2a0985 07 0335ff94 77d83618 00ef6328 79793141 00000000 kernel32!BaseThreadInitThunk+0xe 08 0335ffd4 77d835eb 006a0903 00ef6328 00000000 ntdll!__RtlUserThreadStart+0x70 09 0335ffec 00000000 006a0903 00ef6328 00000000 ntdll!_RtlUserThreadStart+0x1b
2) Unauthenticated Remote Buffer Over-read (large client DH public key length)
An unauthenticated remote attacker can cause a buffer over-read by specifying a large CltDHPubKeyLen value (i.e., 0xffffff):
(694.630): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - eax=023cffff ebx=023c2a0c ecx=03390020 edx=00000000 esi=003fcfbf edi=0023bcd5 eip=01ff5aa0 esp=023c29b0 ebp=00000003 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 DWRCRSS!PBE_InitKey+0x118f0: 01ff5aa0 0fb64802 movzx ecx,byte ptr [eax+2] ds:0023:023d0001=?? 0:021> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 023c29bc 02018df2 023c2a0c 023c3f00 00ffffff DWRCRSS!PBE_InitKey+0x118f0 01 00000000 00000000 00000000 00000000 00000000 DWRCRSS!PBE_InitKey+0x34c42
A MSG_000105b9 structure on the stack is used to store the message received from the client, so the CltDHPubKey is also on the stack. The CltDHPubKey is being accessed for CltDHPubKeyLen bytes. This could result in read access violation if the range CltDHPubKey + CltDHPubKeyLen touches an inaccessible page. However, if the range is covered by accessible pages, the access violation will not occur. In this case, the server will compute a wrong DH shared secret.
3) Unauthenticated Remote Buffer Over-read (large RSA signature length)
This is similar to 2) but with a large RsaSignatureLen in MSG_000105b9:
(fe4.ecc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\dwrcs\DWRCRSS.dll - eax=0225ffff ebx=01f56294 ecx=04610020 edx=00000000 esi=003fd0c2 edi=0005a56b eip=01d75aa0 esp=0225287c ebp=00000003 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 DWRCRSS!PBE_InitKey+0x118f0: 01d75aa0 0fb64802 movzx ecx,byte ptr [eax+2] ds:0023:02260001=?? 0:009> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 02252888 01d9b677 01f56294 0225430c 00ffffff DWRCRSS!PBE_InitKey+0x118f0 01 0225289c 01d8909e 022528dc 0225430c 00ffffff DWRCRSS!PBE_InitKey+0x374c7 02 022528f0 01d89334 01d89379 035fe670 0225292c DWRCRSS!PBE_InitKey+0x24eee 03 00000000 00000000 00000000 00000000 00000000 DWRCRSS!PBE_InitKey+0x25184
A MSG_000105b9 structure on the stack is used to store the message received from the client, so the RsaSignature is also on the stack. The RsaSignature is being accessed for RsaSignatureLen bytes. This could result in read access violation if the range RsaSignature + RsaSignatureLen touches an inaccessible page. However, if the range is covered by accessible pages, the access violation will not occur. In this case, the server will likely not able to verify the DH shared secret.
Other observations:
When negotiating a session key using Diffie-Hellman key exchange, DWRCRSS.dll (file version 12.1.0.34) uses a 128-bit DH prime (0xF51FFB3C6291865ECDA49C30712DB07B) and generator 3. The DH prime maybe too small to be secure. In addition, that prime number doesn't seem to be a prime at all:
# openssl prime -hex F51FFB3C6291865ECDA49C30712DB07B F51FFB3C6291865ECDA49C30712DB07B is not prime
Further, the add sum of the all bytes in the DH shared secret is transmitted in the clear during the DH exchange. These factors may allow an attacker with captured traffic to recover the DH shared secret.
The DH shared secret is used to derive an AES key using PBKDF2, and the AES key is used to encrypt a login message that can contain the user name, password and domain. Knowing the DH shared secret may allow the attacker to obtain user login credentials on the DWRCS.exe host.
Solution
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]