AnywhereUSB/5 1.80.00 Drivers Integer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AnywhereUSB/5 1.80.00 Drivers Integer Overflow
From: SecuriTeam Assisted Disclosure <STAD@xxxxxxxxxxxxxx>
Date: Mon, 4 Sep 2006 14:08:26 +0300
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: SecuriTeam
User-agent: KMail/1.9.3

AnywhereUSB/5 1.80.00 Drivers Integer Overflow

Risk: low.
This advisory can be found here:
http://www.safend.com/advisories/digi_anywhereusb5_intoverflow.txt

I. BACKGROUND

AnywhereUSB/5 provides five USB ports, which deliver the same Plug and Play 
user experience as onboard USB ports.
 
Software drivers are loaded onto a host PC or server, enabling remote devices 
to communicate with the host, without changing existing application software. 
Peripheral devices can be centrally managed and monitored from a remote 
server or PC via an IP address.

        http://www.digi.com/products/usb/anywhereusb.jsp

II. DESCRIPTION

This low-risk vulnerability in AnywhereUSB/5 1.80.00 allows an attacker to 
forge an AnywhereUSB server, so that if a client connects to it, it can be 
hit with a denial of service attack.

This integer overflow in version 1.80.00 of AnywhereUSB/5 drivers package 
distributed for Windows NT 4.0/2000/XP and 2003. could allow attackers to 
Bugcheck (BSOD) currently connected clients on demand, or any new client upon 
connection.

The problem exists within the parsing of USB string descriptors.
A malformed string descriptor that in its header specifies a size of 1 byte, 
will cause a memory copy loop to go behind allocated memory range.

This will result in a Bugcheck (BSOD) within the client computer driver.

III. ANALYSIS

Successful exploitation allows an attacker to crash the client computer and 
cause a Bugcheck (BSOD) on demand.

Exploitation is possible in two ways: by sending a specially crafted string 
descriptor to the client or by attaching a maliciously crafted USB device to 
the hub.

IV. DETECTION

Safend has confirmed that AnywhereUSB/5 drivers version 1.80.00 is vulnerable.
It is suspected that earlier versions of AnywhereUSB/5 may also vulnerable.

V. WORKAROUND

Avoid plugging unknown USB devices into an AnywhereUSB/5 hub.

Apply strict firewalls rules, to prevent clients from connecting to a 
malicious AnywhereUSB/5 server, which could in turn send the malformed string 
descriptor to the client via TCP/IP.

VI. VENDOR RESPONSE

SecuriTeam was asked to assist the researchers with contacting Digi 
International.

Reported to vendor: 24th of July, 2006.
Vendor response: 25th of July, 2006.

Vendor's official response:
"The AnywhereUSB product is used with commercial USB peripheral devices on 
dedicated point to point IP connections, almost always on non-public local 
area networks. The likelihood of any such USB device producing a USB 
descriptor corrupted in precisely this way is extremely unlikely. This error 
will be corrected in a future driver release."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4459 to this issue. 

VIII. CREDIT

This vulnerability was discovered by Itzik Kotler, Safend.

IX. About SecuriTeam's Assisted Disclosure

Many researchers do not have the time, energy or inclination to deal with 
reporting a vulnerability to vendors.

SecuriTeam is here to help. If you want us to handle the logistics of 
contacting and following up with the vendor, making sure the problem is 
fixed, contact: STAD@xxxxxxxxxxxxxxx

Our end goal is Full Disclosure, preferably in coordination with the vendor, 
without exposing the researcher to unnecessary risk. We do not believe in 
hiding or selling vulnerabilities. Never had, never will.

All credit will be properly attributed. If asked we can act as proxies, 
keeping your privacy and anonymity.

X. LEGAL NOTICES

Disclaimer: The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author 
nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, this 
information.

---

Safend is a leading provider of innovative endpoint security solutions that 
protect against corporate data leakage and penetration via physical and 
wireless ports. For more information, visit http://www.safend.com/.

Prev by Date: SoftBB 0.1 Remote PHP Code Execution Exploit
Next by Date: Re: TinyWebGallery v1.5 ( image ) Remote Include Vulnerability
Previous by thread: SoftBB 0.1 Remote PHP Code Execution Exploit
Next by thread: [SECURITY] [DSA 1167-1] New apache packages fix several vulnerabilities
Index(es):
- Date
- Thread