Buffer overflow in Areca CLI, version <= 1.72.250
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I - TITLE
Security advisory: Buffer overflow in Areca CLI, version <= 1.72.250
II - SUMMARY
Description: Local buffer overflow vulnerability in Areca CLI allows for
arbitrary code execution and eventually privilege escalation
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org
Date: July 22th, 2007
Severity: Medium
References: http://www.devtarget.org/areca-advisory-07-2007.txt
III - OVERVIEW
Areca-CLI (cli32) is a command line interface to query and alter the
settings of Areca ARC-xxx SATA RAID controllers. More information about
the product can be found online at http://www.areca.com.tw.
IV - DETAILS
The application "Areca CLI, version <= 1.72.250" (cli32) is prone to a
classic buffer overflow vulnerability when a particularly long
command-line argument is being passed and the application attempts to
copy that argument into a finite buffer. On a Debian 4.0 test system
(kernel 2.6.20) for instance an attacker is required to supply more than
520 characters to completely overwrite the EIP register and thus execute
arbitrary code. Please notice that besides Linux other platforms (e.g.
FreeBSD) might be affected as well (unchecked).
V - ANALYSIS
The severity of this vulnerability is probably "medium" as it can only
be exploited locally and the file cli32 is not set suid root by default.
However when being used in combination with software such as Nagios to
locally or remotely monitor the status of a RAID controller, many people
tend to assign suid root privileges to this file in order to be able to
query the status of the controller via a web interface. Consequently in
such a sitation, this vulnerability will result in a privilege
escalation enabling local users to gain root privileges.
VI - EXPLOIT CODE
An exploit for this vulnerability has been developed but will not be
released to the general public at this time. However developing an
exploit for this vulnerability is trivial.
VII - WORKAROUND/FIX
The vendor confirmed the vulnerability but failed to respond to several
emails asking for a concrete timeline to fix the problem. Thus to
mitigate the vulnerability, one is advised to ensure the file "cli32" is
not set suid root and ask the vendor to develop and supply a patch in
the near future.
VIII - DISCLOSURE TIMELINE
07. June 2007 - Notified {support,security,info}@areca.com.tw
08. June 2007 - Vulnerability confirmed
11. June 2007 - Response from vendor
16. June 2007 - Contact to vendor (several times), no reply
22. July 2007 - Public disclosure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGo1TKd8QFWG1Rza8RAq0WAKCHv9ngp+wDJHkkoq6UqOkvsoL5QgCfRe0t
Tk/lQgb5LKiSpAP4lGfcXrg=
=S6Um
-----END PGP SIGNATURE-----