SFCB vulnerabilities

2010-06-0300:00:00

vulners.com

258

JSON

[=] Product overview

SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM
is a set of technologies aimed to monitor and administer (larges) pools
of computing ressources, applications, hardware. It's used by computers
management tools like HP Systems Insight Manager, VMware vSphere or IBM
Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS)
and is used in many Linux distributions and some VMware / Dell products.

[=] Vulnerabilities

CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header

When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.

Vulnerable versions : up to 1.3.7

CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow
using a forged Content-Length header

If the configuration option "httpMaxContentLength" is explicitly set to
0, SFCB will only check that the Content-Length value is positive and
lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then,
memcpy tries to copy the user-provided POST data in this buffer. By
sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to
overflow a buffer of size 1 to 7.

Vulnerable versions : from 1.3.4 to 1.3.7

[=] Note about VMware products

VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified
version of SFCB (v1.3.3 in ESX 4). However they were tested as non
vulnerable :