Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Unauthenticated Stack Buffer Overflows in Ivanti Avalanche

Critical

Synopsis

A researcher at Tenable discovered multiple stack-based buffer overflows in Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0

A message sent to WLAvalancheService.exe on TCP port 1777 has the following structure:

// be = big-endian
struct item
{
   be32 type;  // data type, valid: 1-9, 100-102 
   be32 NameSize;
   be32 ValueSize;
   byte name[NameSize];
   byte value[ValueSize];  // format depends on @type
                           // 3 - hex string
                           // 9 - list of decimal strings separated by ;
};

// header + payload
struct hp
{
   item hdr[];      // hdr as array of item(s)
   item payload[];  // payload as array of item(s)
   byte pad[];      // zero-padded to 16-byte boundary
};

struct preamble
{
   be32 MsgSize;     // size of hp + 16
   be32 HdrSize;     // size of hp.hdr
   be32 PayloadSize  // size of hp.payload
   be32 unk;
};

strut msg
{
   preamble pre;
   hp hdrpay;
};

Data type 3 stack-based buffer overflow

When processing an item of data type 3, WLAvalancheService.exe uses a fixed-size stack-based buffer to store converted binary data from a hex string. An unauthenticated remote attacker can specify a long hex string to overflow the buffer. The following code snippet shows vulnerability:

<...snip...>
.text:0042AA5E type_3:                  ; CODE XREF: item_parse+BB↑j
.text:0042AA5E                          ; DATA XREF: .text:jpt_42A95B↓o
.text:0042AA5E    mov     eax, [ebp+arg_pItem] ; jumptable 0042A95B case 3
.text:0042AA61    mov     ecx, [eax+ITEM_PREP.ItemValueSize] ; attacker-controlled size ->
.text:0042AA61                          ; stack overflow
.text:0042AA64    push    ecx
.text:0042AA65    mov     edx, [ebp+arg_pOut]
.text:0042AA68    add     edx, ITEM_TYPE_3.ItemValueConvertedToBinary ; fixed-sized stack buffer
.text:0042AA6E    push    edx
.text:0042AA6F    mov     eax, [ebp+arg_pItem]
.text:0042AA72    mov     ecx, [eax+ITEM_PREP.pbItemValue] ; attacker-controlled hex string
.text:0042AA75    push    ecx
.text:0042AA76    call    hexstr2bin    ; return BytesConverted
.text:0042AA7B    add     esp, 0Ch
.text:0042AA7E    mov     edx, [ebp+arg_pOut]
.text:0042AA81    mov     [edx+ITEM_TYPE_3.BytesConverted], eax
.text:0042AA87    jmp     loc_42B1DC
<...snip...>

Sample crash in WinDbg:

(3dc.598): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04a70000 ebx=025d8d28 ecx=00000041 edx=00000041 esi=02764241 edi=04a6fb71
eip=0042b49e esp=04a6fa1c ebp=04a6fa38 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
WLAvalancheService+0x2b49e:
0042b49e 8810            mov     byte ptr [eax],dl          ds:002b:04a70000=??
0:040> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 04a6fa38 0042aa7b     02764241 04a70000 00002000 WLAvalancheService+0x2b49e
01 04a6fb1c 0042b54e     0240eb2c 04a6fb68 00000000 WLAvalancheService+0x2aa7b
02 04a6fe88 41414141     41414141 41414141 41414141 WLAvalancheService+0x2b54e
03 04a6fe8c 41414141     41414141 41414141 41414141 0x41414141
04 04a6fe90 41414141     41414141 41414141 41414141 0x41414141
05 04a6fe94 41414141     41414141 41414141 41414141 0x41414141
06 04a6fe98 41414141     41414141 41414141 41414141 0x41414141
07 04a6fe9c 41414141     41414141 41414141 41414141 0x41414141
<...snip...>

Data type 9 stack-based buffer overflow

When processing an item of data type 9, WLAvalancheService.exe uses a fixed-size stack-based buffer to store user-supplied data and then convert the data to an integer using atol(). An unauthenticated remote attacker can specify a long type 9 item to overflow the buffer. The following code snippet shows vulnerability:

<...snip...>
.text:0042AC5F type_9:                  ; CODE XREF: item_parse+BB↑j
.text:0042AC5F                          ; DATA XREF: .text:jpt_42A95B↓o
.text:0042AC5F    mov     eax, [ebp+arg_pOut] ; jumptable 0042A95B case 9
.text:0042AC62    mov     [eax+ITEM_TYPE_9.nTokens], 0
.text:0042AC6C    mov     ecx, [ebp+arg_pOut]
.text:0042AC6F    add     ecx, ITEM_TYPE_9.TokenArray
.text:0042AC75    mov     edx, [ebp+arg_pOut]
.text:0042AC78    mov     [edx+ITEM_TYPE_9.pTokens], ecx ; ptr to TokenArray
.text:0042AC7E    mov     [ebp+pbNext], 0
.text:0042AC85    mov     eax, [ebp+arg_pItem]
.text:0042AC88    mov     ecx, [eax+ITEM_PREP.pbItemValue]
.text:0042AC8B    mov     [ebp+pbCur], ecx
.text:0042AC8E
.text:0042AC8E loop_42AC8E:             ; CODE XREF: item_parse:loc_42AD3B↓j
.text:0042AC8E    mov     edx, [ebp+arg_pItem]
.text:0042AC91    mov     eax, [edx+ITEM_PREP.pbItemValue]
.text:0042AC94    mov     ecx, [ebp+arg_pItem]
.text:0042AC97    add     eax, [ecx+ITEM_PREP.ItemValueSize] ; attacker-controlled size
.text:0042AC97                          ; -> stack overflow
.text:0042AC9A    cmp     [ebp+pbCur], eax
.text:0042AC9D    jnb     loc_42AD40
.text:0042ACA3    mov     edx, [ebp+arg_pItem]
.text:0042ACA6    mov     eax, [edx+ITEM_PREP.pbItemValue]
.text:0042ACA9    mov     ecx, [ebp+arg_pItem]
.text:0042ACAC    add     eax, [ecx+ITEM_PREP.ItemValueSize]
.text:0042ACAF    push    eax
.text:0042ACB0    lea     edx, [ebp+pbNext]
.text:0042ACB3    push    edx
.text:0042ACB4    lea     eax, [ebp+pbCur]
.text:0042ACB7    push    eax
.text:0042ACB8    call    GetNextToken  ; - get next token separated by ;                          
.text:0042ACB8                          ; - return token size
.text:0042ACBD    add     esp, 0Ch
.text:0042ACC0    mov     [ebp+TokenSize], eax
.text:0042ACC3    mov     ecx, [ebp+TokenSize] ; attacker-controlled size
.text:0042ACC3                          ; -> stack overflow
.text:0042ACC6    mov     esi, [ebp+pbCur]
.text:0042ACC9    lea     edi, [ebp+stackbuf128] ; fixed-size stack buf
.text:0042ACCF    mov     edx, ecx
.text:0042ACD1    shr     ecx, 2
.text:0042ACD4    rep movsd
.text:0042ACD6    mov     ecx, edx
.text:0042ACD8    and     ecx, 3
.text:0042ACDB    rep movsb
.text:0042ACDD    mov     eax, [ebp+TokenSize]
.text:0042ACE0    mov     [ebp+eax+stackbuf128], 0
.text:0042ACE8    lea     ecx, [ebp+stackbuf128]
.text:0042ACEE    push    ecx
.text:0042ACEF    call    _atol
<...snip...>

Sample crash in WinDbg:

(954.2338): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00002000 ebx=025d9c98 ecx=000006a2 edx=00002000 esi=0277fb19 edi=04a70000
eip=0042acd4 esp=04a6fa4c ebp=04a6fb1c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
WLAvalancheService+0x2acd4:
0042acd4 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:038> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 04a6fb1c 31343134     31343134 31343134 31343134 WLAvalancheService+0x2acd4
01 04a6fb20 31343134     31343134 31343134 31343134 0x31343134
02 04a6fb24 31343134     31343134 31343134 31343134 0x31343134
03 04a6fb28 31343134     31343134 31343134 31343134 0x31343134
04 04a6fb2c 31343134     31343134 31343134 31343134 0x31343134
05 04a6fb30 31343134     31343134 31343134 31343134 0x31343134
<...snip...>

Solution

Ivanti have addressed these issues in Avalanche 6.4.1

Disclosure Timeline

4 April 2023 - Issue reported
12 April 2023 - Tenable requests confirmation that report was received
12 April 2023 - Ivanti confirms the issue is being reviewed
13 April 2023 - Ivanti requests proof of concept script
13 April 2023 - Tenable notes the poc must have been removed from initial report, sends PoC
19 April 2023 - Ivanti confirms the issue and indicates they are working on a fix
22 June 2023 - Ivanti notes that a fix may not be ready by the end of the 90 day window.
28 June 2023 - Tenable extends disclosure window
20 July 2023 - Ivanti informs Tenable a fix will be available on August 1st, and has assigned CVE-2023-32560
14 August 2023 - Initial advisory released

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2023-32560
Tenable Advisory ID: TRA-2023-27
CVSSv3 Base / Temporal Score:
9.8
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
Ivanti Avalanche
Risk Factor:
Critical

Advisory Timeline

14 August 2023 - Initial advisory released