How (Not) to Patch Command Injection Bugs

Presented at BSides Austin 2018, March 8, 2018, 3:30 p.m. (60 minutes)

In 2014 ZDI received a report of a command injection vulnerability in Dell's Sonicwall GMS Virtual Appliance. Normally this type of analysis is relatively simple. However, this analysis took a windy path from the JSP web interface through two XMLRPC sockets, to a binary, which delegated to shell scripts, which sourced yet another shell script that actually parsed attacker-supplied input. All this, just to make simple host modifications. Presumably, the code complexity drove the developers to patch this bug at the webapp level, instead of closer to the root cause. The resultant patch was immediately bypassed and the subsequent patch was also flawed. A few months later, other researchers reported an additional attack vector involving direct communication with one of the XMLRPC sockets to trigger the same underlying vulnerability outlined in the very first ZDI report. Ultimately, it appears the soft chewy center remains, but the crunchy outer shell has been significantly hardened, and thus, the hunt continues. This talk will detail the various patch attempts, how they failed or succeeded, and how they were analyzed, bypassed, and exploited with a Metasploit module we are releasing. We'll also discuss the much more comprehensive defense measures currently implemented by the developers.

Presenters:

• Michael Flanders
  Michael Flanders is a Vulnerability Intelligence Intern at Trend Micro's Zero Day Initiative. His focus includes analyzing and performing root-cause analysis on zero-day vulnerabilities submitted to the world's largest vendor-agnostic bug bounty program by researchers from around the world. He is also a sophomore at The University of Texas where he is studying Electrical and Computer Engineering.
• Joshua Smith
  Kernelsmith is a senior security researcher and the "FuzzOps" Manager at Trend Micro's Zero Day Initiative. When he's not herding cats or managing infrastructure, they let him think he's still analyzing vulnerabilities submitted to the program. He was a pentester in the United States Air Force and a computer security engineer at Johns Hopkins University Applied Physics Laboratory (JHUAPL). He holds a BS in Aeronautical Engineering and an MA in Management of Information Systems as well as a CISSP and RHCSA. Kernelsmith has spoken at DefCon and DerbyCon among others and was previously an external Metasploit developer.

Links:

• https://bsidesaustin2018.sched.com/event/DuGQ/how-not-to-patch-command-injection-bugs

Similar Presentations:

• DerbyCon 7.0 Legacy (2017) / VMware Escapology: How to Houdini The Hypervisor
• ToorCon San Diego 17 (2015) / LNKing the Past to the Present - The Curious Case of CVE-2010-2568 and CVE-2015-0096
• GrrCON 2015 / Can you patch a cloud?