Associated Vulnerability
Title:Wind River Systems VxWorks 缓冲区错误漏洞 (CVE-2019-12255)Description:Wind River Systems VxWorks是美国风河系统(Wind River Systems)公司的一套嵌入式实时操作系统(RTOS)。 Wind River Systems VxWorks中存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。以下产品及版本受到影响:Wind River Systems VxWorks 6.9版本,6.8版本,6.7版本,6.6版本。
Description
Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and CVE-2019-12260
Readme
# Urgent11-Suricata-LUA-scripts
Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and CVE-2019-12260
## CVE-2019-12255
The script checks for CVE-2019-12255, the packet that is checked needs to have the PSH, ACK, and URG flags set, and have a payload size that exceeds 1500 bytes. It then checks if the value of the urgent pointer is set to 0, this will cause an integer underflow on vulnerable devices.
The exploit is based on underflowing the urgent pointer by setting it to 0. The flaw causes the length constraint in the recv() of the target to be ignored, and will copy all of the available data from the TCP window to the user supplied buffer. The rule checks if the payload exceeds 1500 bytes.
## CVE-2019-12256
The script checks for CVE-2019-12256, the packet that is checked consists of two LSRR or SSRR options in the IP packet. The LSRR options can be recognized with hex value 0x83, the SSRR option with hex value 0x89, the exploit gives consists of invalid values, the length is less than the length normally used when defining a route (4 bytes minimum), this is present twice in the packet that is sent to the server. The following IP options will trigger a stack overflow with invalid LSRR options:
| Type LSRR | Length | LSRR-Pointer | Type LSRR | Length | LSRR-Pointer |
|-----------|--------|--------------|-----------|--------|--------------|
| \x83 | \x03 | \x27 | \x83 | \x03 | \x27
The following IP options will trigger a stack overflow with invalid SSRR options:
| Type SSRR | Length | SSRR-Pointer | Type SSRR | Length | SSRR-Pointer |
|-----------|--------|--------------|-----------|--------|--------------|
| \x89 | \x03 | \x27 | \x89 | \x03 | \x27
## CVE-2019-12258
The script checks for CVE-2019-12258, the packets involved are marked with a comment in the PCAP. The first detection is being checked given 2 window scale options, 1 invalid and 1 valid. The second time it is the unweaponized DoS variant which holds 1 invalid window scale option.
The Window Scale option has value 03 to indicate this option is being used, this is on a set offset of 57 in the TCP packet. The exploit has to be of value 2 (invalid) for this exploit to trigger, this valueis located at offset 58. The values are being checked, returning 1 (match) if this is the case.
## CVE-2019-12260
The script checks for CVE-2019-12260, the packet that is checked consists of a malformed SYN packet, this packet contains a TCP-AO option field with a byte value of <= 3 bytes. The TCP-AO option can be set with hex value 0x29, as per RFC: https://tools.ietf.org/html/rfc5925#page-7
The exploit is based on malforming the TCP-AO option by setting it to anything that is less than or equal to 3 bytes. This can be checked by verifying that hex value 0x29 is set as an option at offset 56.
File Snapshot
[4.0K] /data/pocs/7857144fde3a9dd63262aa10fdf5562c84e38a25
├── [1.6K] cve_2019_12255.lua
├── [1.9K] cve_2019_12256_lsrr.lua
├── [1.9K] cve_2019_12256_ssrr.lua
├── [1.7K] cve_2019_12258.lua
├── [1.5K] cve_2019_12260.lua
├── [2.8K] README.md
└── [3.1K] urgent11_rules.txt
0 directories, 7 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.