Tag: buffer-overflow

ADVISORIES | March 6, 2020

pppd Vulnerable to Buffer Overflow Due to a Flaw in EAP Packet Processing (CVE-2020-8597)

By Ilja van Sprundel

Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system.

This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to the execution of unwanted code.

ADVISORIES | October 24, 2019

Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG

By Alexander Bolshev & Tao Sauvage

(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch.

It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a reflected cross-site scripting (XSS) vulnerability when accessing non-existent paths. An attacker could trick an operator into opening a booby-trapped link and exfiltrate the operator’s credentials or perform actions without the operator’s consent.

It is also affected by multiple cross-site request forgery (CSRF) vulnerabilities. An attacker could trick an operator to visit a malicious page that will perform actions on behalf of the victim without the victim’s knowledge or consent. The attacker could for instance change the settings of the switch or create a rogue user with admin privileges.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely parsing the System Property field from incoming Link Layer Discovery Protocol (LLDP) packets. An attacker in an adjacent network could send malicious LLDP packets that will inject arbitrary clickable links on the web interface’s LLDP neighbors page, which could lead to different social engineering ruses.

It is also supporting weak SSH key exchange methods and ciphers. An attacker could leverage these weaknesses to potentially decrypt traffic or place a rogue computer between the device and the operator.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely storing passwords on the device. The passwords are stored base64-encoded, which can be trivially decoded by an attacker with access to the configuration.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) discloses sensitive information (e.g. stack traces) in the serial console. An attacker with physical access to the device could leverage the information to help discover and develop exploits.