Note: This article was originally written by Kyriakos Economou (@kyREcon) for Nettitude labs.
Nettitude have discovered three vulnerabilities in Carbon Black; CVE-2016-9570, CVE-2016-9568 and CVE-2016-9569. Two of these have been patched at the time of writing.
CVE-2016-9570
- Module: cb.exe (SRC-149)
- Version: 5.1.1.60603
- Bug Type: Read-Out-Of-Bounds
- Impact: DoS
- Prerequisites: Hijack NetMon Pipe
- Severity: Medium
- Status: Remediated
Note: The following technical details are taken from the x86 build of the Carbon Black Sensor module. Variable sizes might change in x64 build.
Overview
The Carbon Black sensor receives data through the “\\.\pipe\netmon” named pipe and selects the appropriate handler based on a number that goes from 0 to 9.
If we send number ‘4’ as a command type then the DWORD store at offset (Buffer_Base + 0x7B) it will be interpreted as size for memory allocation. If we indicate 0x41414141 as size, the final size requested will be (size + 0x50). The driver has already checked if supplied size value is zero or a negative number, thus 0x80000000 and greater, so there are no integer overflows in this case.
014FC09B PUSH ECX ;HeapSize = 0x41414150 014FC09C PUSH 0;Flags = 0 014FC09E PUSH EAX ;hHeap 014FC09F CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>]
If the allocation succeeds, the driver will copy (size – 1) bytes to that buffer without validating the size of the buffer that keeps the input data, which will cause the Carbon Black Sensor to crash through an invalid pointer dereference. A memory access violation on read in this case.
Recommendation
Perform additional validation checks over the input that is processed through the named pipe.
CVE-2016-9568
- Module: cbstream.sys (SRC-148)
- Version: 5.1.1.60603
- Bug Type: Design Security Issue
- Impact: Perform unauthorized actions
- Prerequisites: Hijack NetMon Pipe
- Severity: Medium
- Status: Unfixed
Overview
This issue has not yet been fixed by Carbon Black, so Nettitude have opted to release only the limited details above for now.
CVE-2016-9569
- Module: cbstream.sys (SRC-147)
- Version: 5.1.1.60603
- IOCTL: 0x62430028
- Bug Type: Read-Out-Of-Bounds
- Impact: DoS
- Prerequisites: Admin Privileges
- Severity: Low
- Status: Remediated
Note: The following technical details are taken from the x86 build of the driver module. Variable sizes might change in x64 build.
Overview
When supplying the aforementioned IOCTL code, the driver will interpret the second DWORD (4 bytes) as a counter and the third DWORD as a value to search for in an allocated buffer.
The issue is that if the supplied counter is too big, then while parsing a memory allocation trying to find a match for the supplied value (3rd DWORD) it will eventually reach an address that doesn’t belong to an allocated memory page (read-out-of-bounds) resulting into an invalid pointer dereference which will lead to system crash, aka BSoD.
WinDBG – Crash Sample
ECX: counter limit provided through user input via IOCTL
eax=88128000 ebx=00000001 ecx=41414141 edx=00000008 esi=0064c33c edi=8078f6fc eip=a06dc366 esp=8078f4e0 ebp=8078f4e4 iopl=0 cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283 cbstream+0x3366: a06dc366 8b10 mov edx,dword ptr [eax] ds:0023:88128000=???????? <- Invalid pointer dereference
Recommendation
Validate that ‘counter’ parameter doesn’t exceed a specific value. If that value is not ‘known’ then perform boundary checks against the buffer by validating the address to read from before that happens.