Press ESC to close

Siemens Automation License Manager almsrv64x.exe int64 Overflow Unauthenticated DoS

Siemens Automation License Manager almsrv64x.exe int64 Overflow Unauthenticated DoS

An int64 overflow vulnerability exists in Siemens Automation License Manager (ALM) almsrv64x.exe v602.1.0.1. An unauthenticated remote attacker can exploit it to crash the process.

almsrv64x.exe listens on TCP port 4410 by default and processes licensing messages having the following format:

// be = big endian

struct order_msg
{
   header hdr;
   body   bd;
};

struct header
{
   be32 OrderCode; // order command code
   be32 OrderSize; // size of order (msg) data 
};

struct body
{
   byte size[]; // data size encoded in variable number of bytes
                // size range                      encoded as  
                // 0 - 0xfe                        b1
                // 0xff - 0xfffe                   ff b1 b2
                // 0xffff - 0xfffffffe             ff ff ff b1 b2 b3 b3
                // 0xffffffff - 0xffffffffffffffff ff ff ff ff ff ff ff b1 b2 b3 b4 b5 b6 b7 b8
   byte data[size]; // XML data
};

almsrv64x.exe has a function to check if the body size is within the allocated buffer. If so, the function returns normally. Otherwise, an exception is thrown:

[...]
.text:00007FF7F6D83ED0  sub     rsp, 48h
.text:00007FF7F6D83ED4 rdx = size
.text:00007FF7F6D83ED4  add     rdx, [rcx+CSocketStream.pos] ; VULN: rdx = 0xffffffffffffffff ->
.text:00007FF7F6D83ED4                          ; int64 overflow
.text:00007FF7F6D83ED8  cmp     rdx, [rcx+CSocketStream.AllocSize]
.text:00007FF7F6D83EDC  ja      short loc_7FF7F6D83EE3
.text:00007FF7F6D83EDE  add     rsp, 48h
.text:00007FF7F6D83EE2  retn
.text:00007FF7F6D83EE3 ; ---------------------------------------------------------------------------
.text:00007FF7F6D83EE3
.text:00007FF7F6D83EE3 loc_7FF7F6D83EE3:        ; CODE XREF: CSocketStream_EnsureNbytesInBuf+C↑j
.text:00007FF7F6D83EE3  lea     rdx, aCmemstreamTrie_0 ; "CMemStream - tried to read behind buffe"...
.text:00007FF7F6D83EEA  lea     rcx, [rsp+48h+pExceptionObject]
.text:00007FF7F6D83EEF  call    sub_7FF7F6D52F90
.text:00007FF7F6D83EF4  lea     rdx, __TI3?AVout_of_range@std@@ ; pThrowInfo
.text:00007FF7F6D83EFB  lea     rcx, [rsp+48h+pExceptionObject] ; pExceptionObject
.text:00007FF7F6D83F00  call    _CxxThrowException
[...]

If the attacker specifies a body size of 0xffffffffffffffff, it would cause an int64 overflow in the check function and bypass the check in the function. This would trick an XML processing function into thinking that the XML data is 0xffffffffffffffff bytes, which can result in a memory read access violation, terminating the almsrv64x.exe process:

(318.19f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rax=00000000fffffff7 rbx=ffffffffffffffff rcx=00007ff7f6d86f5e
rdx=0000000000000005 rsi=0000000000000000 rdi=000001e0e04e306f
rip=00007ff7f6d86e04 rsp=000000d9dc7fccd0 rbp=00000000ffffffff
 r8=0000000002488f91  r9=0000000002488f91 r10=0000000000000000
r11=000000d9dc7fcb60 r12=00007ff7f6b80000 r13=0000000000000005
r14=000000d9dc7fdc68 r15=0000000000000002
iopl=0         nv up ei pl nz ac pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
almsrv64x+0x206e04:
00007ff7`f6d86e04 410fbe0438      movsx   eax,byte ptr [r8+rdi] ds:000001e0`e296c000=??
[...]

Nick Miles

Thu, 09/12/2024 – 10:10

Leave a Reply

Your email address will not be published. Required fields are marked *