Advisory Details

May 27th, 2015

(0Day) Wavelink Emulation License Server LicenseServer.exe HTTP Request Headers Remote Code Execution Vulnerability

ZDI-15-245
ZDI-CAN-2721

CVE ID CVE-2015-4059
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Wavelink
AFFECTED PRODUCTS Terminal Emulation
VULNERABILITY DETAILS


This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Wavelink Emulation License Server. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the parsing of HTTP requests in LicenseServer.exe listening by default on port 4420. When parsing large HTTP headers, the application will overflow a heap buffer due to an unsafe memory block copy operation. An attacker could leverage this to execute arbitrary code in the context of SYSTEM.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.

~2/20/2015 - ZDI called Wavelink customer service and a recorded message indicated these products are supported by another entity
02/20/2015 - ZDI reached out to multiple security contacts at that entity looking for a contact and familiarity with the product but received a negative reply
The finder reached out to ZDI to say that there was some indication another entity was supporting these products.
04/09/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
04/15/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
05/20/2015 - ZDI reached out to security@wavelink.com, secure@wavelink.com and support@wavelink.com but received only an automated reply
05/20/2015 - ZDI again reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received a no reply
The finder has also made attempts at contact with the vendor/owner regarding these vulnerability reports, but has made no meaningful contact.

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

-- Vendor Patch:
The vulnerability ZDI-15-245 has been patched and released to our web site as Emulation License Server version 4.3.006.

Here is a link: http://www.wavelink.com/Download-Emulation-License-Server-Software/


DISCLOSURE TIMELINE
  • 2015-02-20 - Case submitted to the ZDI
  • 2015-05-27 - Public release of advisory
CREDIT Andrea Micalizzi (rgod)
BACK TO ADVISORIES