Vulnerabilities > CVE-2017-2785 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Pharos Popup 9.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
An exploitable buffer overflow exists in the psnotifyd application of the Pharos PopUp printer client version 9.0. A specially crafted packet can be sent to the victim's computer and can lead to a heap based buffer overflow resulting in remote code execution. This client is always listening, has root privileges, and requires no user interaction to exploit.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable buffer overflow exists in the psnotifyd application of the Pharos PopUp printer client version 9.0. A specially crafted packet can be sent to the victim's computer and can lead to a heap based buffer overflow resulting in remote code execution. This client is always listening, has root privileges, and requires no user interaction to exploit. ### Tested Versions Pharos PopUp Printer Client 9.0 ### Product URLs https://pharos.com/products-services/ ### CVSSv3 Score 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-122 - Heap-based Buffer Overflow ### Details Pharos PopUp Printer client is printing software that is widely used in universities all over the United States. This client is a way to manage multiple connections to a single printing point and is constantly listening in the background for a packet from the printer. It is also running with root privilege for easy access to any privileged drivers. These all make this an excellent target where a vulnerability could have a high impact. The vulnerability is located inside of the DecodeString function. The packet strings are sent to the program encoded in an encoding format. This function parses the packet and decodes the string. First off the function locates the end of the string, reads in some data from the packet and finally passes it into a decode function. This code is shown below. ``` __text:0000000100005E21 mov rsi, [rbx+PSComDecodePacket.end_of_str] [1] __text:0000000100005E28 movzx ecx, byte ptr [rsi] __text:0000000100005E2B mov eax, ecx __text:0000000100005E2D and eax, 3Fh __text:0000000100005E30 cmp eax, 10 __text:0000000100005E33 jnz short loc_100005E98 __text:0000000100005E35 lea rax, [rsi+1] __text:0000000100005E39 mov [rbx+PSComDecodePacket.end_of_str], rax __text:0000000100005E40 mov al, 1 __text:0000000100005E42 test cl, cl __text:0000000100005E44 js short loc_100005E74 __text:0000000100005E46 mov edx, [rsi+1] [2] __text:0000000100005E49 add rsi, 5 __text:0000000100005E4D mov [rbx+PSComDecodePacket.end_of_str], rsi __text:0000000100005E54 mov [r14], rsi __text:0000000100005E57 add [rbx+PSComDecodePacket.end_of_str], rdx ; __text:0000000100005E5E test cl, 40h __text:0000000100005E61 jz short loc_100005E72 __text:0000000100005E63 add rbx, 20h __text:0000000100005E67 mov rsi, [r14] __text:0000000100005E6A mov rdi, rbx __text:0000000100005E6D call xor_decode [3] ``` At the beginning, EDX is being checked against zero, [1], then we subsequently fall into a loop. Some data is then grabbed from the packet structure and used at location [2]. This is XOR'd against user data in an attempt to deobfuscate the packet received. Continuing down a touch further we see an increment to RSI, CL and a decrement to EDX. EDX is then tested against zero and it is clear the loop will continue until EDX reaches zero. This means that the loop will be executed however many times the attacker passed in from the previous function, directly taken from the packet. The code will continue incrementing the packet pointer in RSI, causing a buffer overflow of attacker controlled data and ultimately leading to remote code execution. ### Crash Information ``` ./exc_handler ./psnotifyd 2017-01-24 13:18:26.374 psnotifyd[24597:8732293] Notify listening thread started 2017-01-24 13:18:26.375 psnotifyd[24597:8732293] Listening on socket 4 2017-01-24 13:18:26.377 psnotifyd[24597:8732289] CFSocketSetAddress bind failure: 48 2017-01-24 13:18:26.377 psnotifyd[24597:8732289] Telling any existing Notify processes that psnotifyd has started up. 2017-01-24 13:18:36.153 psnotifyd[24597:8732293] New notify connection incoming 2017-01-24 13:18:36.153 psnotifyd[24597:8732293] Spawning a new notify request handler thread 2017-01-24 13:18:36.153 psnotifyd[24597:8732293] Listening on socket 4 2017-01-24 13:18:36.153 psnotifyd[24597:8732519] New request handler thread started 2017-01-24 13:18:36.153 psnotifyd[24597:8732519] I got some stuff goin' on 2017-01-24 13:18:36.157 psnotifyd[24597:8732293] New notify connection incoming 2017-01-24 13:18:36.157 psnotifyd[24597:8732293] Spawning a new notify request handler thread 2017-01-24 13:18:36.157 psnotifyd[24597:8732293] Listening on socket 4 2017-01-24 13:18:36.157 psnotifyd[24597:8732522] New request handler thread started 2017-01-24 13:18:36.157 psnotifyd[24597:8732522] I got some stuff goin' on 2017-01-24 13:18:36.218 psnotifyd[24597:8732519] Exception: *** -[_NSZeroData getBytes:range:]: range {5, 4} exceeds data length 0 Crashed thread log = 0 psnotifyd 0x0000000100006d19 0x100000000 + 27929 1 psnotifyd 0x0000000100005e72 0x100000000 + 24178 2 psnotifyd 0x0000000100005c81 0x100000000 + 23681 3 psnotifyd 0x0000000100002071 0x100000000 + 8305 4 psnotifyd 0x0000000100002937 0x100000000 + 10551 5 psnotifyd 0x0000000100002392 0x100000000 + 9106 6 com.apple.Foundation 0x00007fff89e3de64 __NSThread__start__ + 1351 7 libsystem_pthread.dylib 0x00007fff997ec99d _pthread_body + 131 8 libsystem_pthread.dylib 0x00007fff997ec91a _pthread_start + 168 9 libsystem_pthread.dylib 0x00007fff997ea351 thread_start + 13 log name is: ./crashlogs/overflow.crashlog.txt --- exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=xorb %al,(%rsi):instruction_address=0x0000000100006d19:access_type=write:access_address=0x0000000104000000: Crash accessing invalid address. ``` ### Timeline * 2017-02-07 - Vendor Disclosure * 2017-03-07 - Public Release ### CREDIT * Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with some of the reversing. |
| id | SSV:96547 |
| last seen | 2017-11-19 |
| modified | 2017-09-20 |
| published | 2017-09-20 |
| reporter | Root |
| title | Pharos PopUp Printer Client DecodeString Code Execution Vulnerability(CVE-2017-2785) |
Talos
| id | TALOS-2017-0280 |
| last seen | 2019-05-29 |
| published | 2017-03-07 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0280 |
| title | Pharos PopUp Printer Client DecodeString Code Execution Vulnerability |