TippingPoint Zero Day Initiative
 

(0Day) Wavelink Emulation ConnectPro TermProxy WLTermProxyService.exe HTTP Request Headers Remote Code Execution Vulnerability

ZDI-15-246: May 27th, 2015

CVE ID

CVSS Score

Affected Vendors

Affected Products

Vulnerability Details


This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Wavelink Emulation ConnectPro TermProxy. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the parsing of HTTP requests in WLTermProxyService.exe listening by default on port 4428. When parsing large HTTP headers, the application will overflow a heap buffer due to an unsafe memory block copy operation. An attacker could leverage this to execute arbitrary code in the context of SYSTEM.

Vendor Response

Wavelink states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

~2/20/2015 - ZDI called Wavelink customer service and a recorded message indicated these products are supported by another entity
02/20/2015 - ZDI reached out to multiple security contacts at that entity looking for a contact and familiarity with the product but received a negative reply
The finder reached out to ZDI to say that there was some indication another entity was supporting these products.
04/09/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
04/15/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
05/20/2015 - ZDI reached out to security@wavelink.com, secure@wavelink.com and support@wavelink.com but received only an automated reply
05/20/2015 - ZDI again reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received a no reply
The finder has also made attempts at contact with the vendor/owner regarding these vulnerability reports, but has made no meaningful contact.

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


Disclosure Timeline

    2015-02-20 - Case submitted to the ZDI
    2015-05-27 - Public release of advisory

Credit

This vulnerability was discovered by:
    Andrea Micalizzi (rgod)