Synopsis
CVE-2020-5778: Message 8 Unauthenticated Remote DoS.
A flaw exists in ttmd.exe due to improper validation of user-supplied data when processing a type 8 message sent to default TCP RequestPort 10200.
An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to terminate ttmd.exe.
A type 8 message includes a 2-byte field indicating how many name-value pairs are in the message. The attacker can specify a very large value (i.e., 0xffff) in this field to cause the vulnerable code to access data beyond the message boundary, resulting in memory access violation in ttmd.exe and subsequent process termination:
0:025> g
(4c4.7e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02c5c000 ebx=00000000 ecx=02c5c001 edx=00000002 esi=02c5c000 edi=124fee84
eip=00f83200 esp=124fed80 ebp=124fedd4 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287
ttmd+0x213200:
00f83200 8a10 mov dl,byte ptr [eax] ds:002b:02c5c000=??
0:016> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 124fedd4 00e723b9 08c51964 0000f74f 02bbae14 ttmd+0x213200
01 124fef20 00e54664 00c51960 00000000 02a9dde8 ttmd+0x1023b9
02 124fef34 00e543e0 02a644f8 02c51960 00000412 ttmd+0xe4664
03 124fef58 00da9497 02a644f8 02a9dde8 00000000 ttmd+0xe43e0
04 124fef90 00d9cbd9 02c51960 00000000 0230b1c4 ttmd+0x39497
05 124ff340 00d8cc1b 02a9da28 00000012 00000000 ttmd+0x2cbd9
06 124ff544 00d9b180 023bebc8 02bbb4b0 7709e4c8 ttmd+0x1cc1b
07 124ff5a8 00d8fe73 02bbb4b0 ffffffff 124ff7c0 ttmd+0x2b180
08 124ff5b8 00d8b68a 02a9e898 7346c59c 7346c59c ttmd+0x1fe73
09 124ff7c0 7346c556 02bbb4bc 22cfdcd7 7346c59c ttmd+0x1b68a
0a 124ff7f8 7346c600 7346c59c 124ff818 74fd62c4 MSVCR100!_callthreadstartex+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
0b 124ff804 74fd62c4 01dc6998 74fd62a0 249a8e07 MSVCR100!_threadstartex+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
0c 124ff818 76ff1f69 01dc6998 2697d06e 00000000 KERNEL32!BaseThreadInitThunk+0x24
0d 124ff860 76ff1f34 ffffffff 77013626 00000000 ntdll!__RtlUserThreadStart+0x2f
0e 124ff870 00000000 7346c59c 01dc6998 00000000 ntdll!_RtlUserThreadStart+0x1b
0:016> lm vm ttmd
Browse full module list
start end module name
00d70000 0109f000 ttmd (no symbols)
Loaded symbol image file: C:\tt\ttm\ttmd.exe
Image path: C:\tt\ttm\ttmd.exe
Image name: ttmd.exe
Browse all global symbols functions data
Timestamp: Wed Feb 26 10:12:05 2020 (5E56B4F5)
CheckSum: 0032D397
ImageSize: 0032F000
File version: 7.1.28.3
Product version: 7.1.28.3
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Trading Technologies International, Inc.
ProductName: Trading Technologies Messaging
InternalName: TTM Daemon
OriginalFilename: ttmd.exe
ProductVersion: 7.1.28.3
FileVersion: 7.1.28.3
FileDescription: Trading Technologies Messaging Daemon
LegalCopyright: Copyright © 1998 - 2020 Trading Technologies International, Inc. All Rights Reserved.
LegalTrademarks: Trading Technologies Messaging is a trademark of Trading Technologies International, Inc. All Rights Reserved.
CVE-2020-5779: Message 4 Unauthenticated Remote DoS
A flaw relates to invalid parameter handling when calling strcpy_s() with an invalid parameter (i.e., a long src string parameter) as a part of processing a type 4 message sent to default TCP RequestPort 10200. It's been observed that ttmd.exe terminates as a result.
An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to terminate ttmd.exe:
0:018> g
Invalid Parameter Found
(150.10b4): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=73b88e6b edx=00000000 esi=00000001 edi=7342014e
eip=00f67839 esp=11bce9d4 ebp=11bcec80 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ttmd+0x1f7839:
00f67839 cc int 3
0:018> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 11bcec80 7349af8a 00000000 00000000 00000000 ttmd+0x1f7839
01 11bcec98 734496e4 020e3a34 022d2234 11bcecdc MSVCR100!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt_bld\self_x86\crt\src\invarg.c @ 121]
02 11bceca8 00f81ffb 020e3a34 00000080 022d2234 MSVCR100!strcpy_s+0x24 [f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl @ 18]
03 11bcecdc 00e3b74a 022d2234 020e3a30 020e3a34 ttmd+0x211ffb
04 11bcecf0 00e3c16c 022d2234 00000000 00000001 ttmd+0xcb74a
05 11bcede4 00e696db 11bcee00 11bcee18 11bcee0a ttmd+0xcc16c
06 11bcee10 00e72329 022d2234 0223dd24 0223dd40 ttmd+0xf96db
07 11bcef58 00e54664 002d2220 00000000 02120c48 ttmd+0x102329
08 11bcef6c 00e543e0 016cef70 022d2220 00000215 ttmd+0xe4664
09 11bcef90 00da9497 016cef70 02120c48 00000000 ttmd+0xe43e0
0a 11bcefc8 00d9cbd9 022d2220 00000000 0161b154 ttmd+0x39497
0b 11bcf378 00d8cc1b 02121128 00000015 00000000 ttmd+0x2cbd9
0c 11bcf57c 00d9b180 020e2660 0223e4c0 7709e4d0 ttmd+0x1cc1b
0d 11bcf5e0 00d8fe73 0223e4c0 ffffffff 11bcf7f8 ttmd+0x2b180
0e 11bcf5f0 00d8b68a 02121a58 7346c59c 7346c59c ttmd+0x1fe73
0f 11bcf7f8 7346c556 0223e4cc 83f31157 7346c59c ttmd+0x1b68a
10 11bcf830 7346c600 7346c59c 11bcf850 74fd62c4 MSVCR100!_callthreadstartex+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
11 11bcf83c 74fd62c4 015c6bc0 74fd62a0 85b874e1 MSVCR100!_threadstartex+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
12 11bcf850 76ff1f69 015c6bc0 87b52aa2 00000000 KERNEL32!BaseThreadInitThunk+0x24
13 11bcf898 76ff1f34 ffffffff 77013640 00000000 ntdll!__RtlUserThreadStart+0x2f
14 11bcf8a8 00000000 7346c59c 015c6bc0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:018> g
eax=00000000 ebx=7709f9a0 ecx=00000002 edx=00000000 esi=00000003 edi=00000000
eip=76ffefac esp=11bce874 ebp=11bce94c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!NtTerminateProcess+0xc:
76ffefac c20800 ret 8
0:018> g
^ No runnable debuggees error in 'g'
0:018> lm vm ttmd
Browse full module list
start end module name
00d70000 0109f000 ttmd (no symbols)
Loaded symbol image file: C:\tt\ttm\ttmd.exe
Image path: C:\tt\ttm\ttmd.exe
Image name: ttmd.exe
Browse all global symbols functions data
Timestamp: Wed Feb 26 10:12:05 2020 (5E56B4F5)
CheckSum: 0032D397
ImageSize: 0032F000
File version: 7.1.28.3
Product version: 7.1.28.3
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Trading Technologies International, Inc.
ProductName: Trading Technologies Messaging
InternalName: TTM Daemon
OriginalFilename: ttmd.exe
ProductVersion: 7.1.28.3
FileVersion: 7.1.28.3
FileDescription: Trading Technologies Messaging Daemon
LegalCopyright: Copyright © 1998 - 2020 Trading Technologies International, Inc. All Rights Reserved.
LegalTrademarks: Trading Technologies Messaging is a trademark of Trading Technologies International, Inc. All Rights Reserved.
Solution
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]