Talos Vulnerability Report

TALOS-2017-0280

Pharos PopUp Printer Client DecodeString Code Execution Vulnerability

March 7, 2017
CVE Number

CVE-2017-2785

Summary

An exploitable buffer overflow exists in the psnotifyd application of the Pharos PopUp printer client version 9.0. A specially crafted packet can be sent to the victim's computer and can lead to a heap based buffer overflow resulting in remote code execution. This client is always listening, has root privileges, and requires no user interaction to exploit.

Tested Versions

Pharos PopUp Printer Client 9.0

Product URLs

https://pharos.com/products-services/

CVSSv3 Score

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-122 - Heap-based Buffer Overflow

Details

Pharos PopUp Printer client is printing software that is widely used in universities all over the United States. This client is a way to manage multiple connections to a single printing point and is constantly listening in the background for a packet from the printer. It is also running with root privilege for easy access to any privileged drivers. These all make this an excellent target where a vulnerability could have a high impact.

The vulnerability is located inside of the DecodeString function. The packet strings are sent to the program encoded in an encoding format. This function parses the packet and decodes the string. First off the function locates the end of the string, reads in some data from the packet and finally passes it into a decode function. This code is shown below.

__text:0000000100005E21                 mov     rsi, [rbx+PSComDecodePacket.end_of_str]     [1]
__text:0000000100005E28                 movzx   ecx, byte ptr [rsi]
__text:0000000100005E2B                 mov     eax, ecx
__text:0000000100005E2D                 and     eax, 3Fh
__text:0000000100005E30                 cmp     eax, 10
__text:0000000100005E33                 jnz     short loc_100005E98
__text:0000000100005E35                 lea     rax, [rsi+1]
__text:0000000100005E39                 mov     [rbx+PSComDecodePacket.end_of_str], rax
__text:0000000100005E40                 mov     al, 1
__text:0000000100005E42                 test    cl, cl
__text:0000000100005E44                 js      short loc_100005E74
__text:0000000100005E46                 mov     edx, [rsi+1]                                [2]
__text:0000000100005E49                 add     rsi, 5
__text:0000000100005E4D                 mov     [rbx+PSComDecodePacket.end_of_str], rsi
__text:0000000100005E54                 mov     [r14], rsi
__text:0000000100005E57                 add     [rbx+PSComDecodePacket.end_of_str], rdx ;
__text:0000000100005E5E                 test    cl, 40h
__text:0000000100005E61                 jz      short loc_100005E72
__text:0000000100005E63                 add     rbx, 20h
__text:0000000100005E67                 mov     rsi, [r14]
__text:0000000100005E6A                 mov     rdi, rbx
__text:0000000100005E6D                 call    xor_decode                                  [3]

Starting at [1], we see the string location being loaded from a struct and moved into RSI. A few checks are made on the data which is controlled by the attacker and can be easily bypassed. Then at [2], we see some data being moved directly from the attacker controlled packet and into EDX. Further down, [3], we see a call to xor_decode which is of interest because the third argument to that function is EDX. The relevant function code for xor decode is shown below.

__text:0000000100006CC0                 push    rbp
__text:0000000100006CC1                 mov     rbp, rsp
__text:0000000100006CC4                 push    r14
__text:0000000100006CC6                 push    rbx
__text:0000000100006CC7                 mov     cl, [rdi+(PSComDecodePacket.length+0E0h)]
__text:0000000100006CCD                 mov     r9b, [rdi+(PSComDecodePacket.length+0E1h)]
__text:0000000100006CD4                 test    edx, edx                                                [1]
__text:0000000100006CD6                 jz      short loc_100006D2A
__text:0000000100006CD8                 lea     r8d, [rdx+0FFh]
__text:0000000100006CDF                 add     r8b, cl
__text:0000000100006CE2
__text:0000000100006CE2 loc_100006CE2:                          ; CODE XREF: xor_decode+62j
__text:0000000100006CE2                 movzx   ecx, cl
__text:0000000100006CE5                 lea     eax, [rcx+1]
__text:0000000100006CE8                 movzx   r14d, al
__text:0000000100006CEC                 movzx   r10d, byte ptr [rdi+r14]
__text:0000000100006CF1                 movzx   r11d, r10b
__text:0000000100006CF5                 movzx   r9d, r9b
__text:0000000100006CF9                 add     r9d, r11d
__text:0000000100006CFC                 movzx   eax, r9b
__text:0000000100006D00                 mov     bl, [rdi+rax]
__text:0000000100006D03                 mov     [rdi+r14], bl
__text:0000000100006D07                 mov     [rdi+rax], r10b
__text:0000000100006D0B                 movzx   eax, byte ptr [rdi+r14]
__text:0000000100006D10                 add     eax, r10d
__text:0000000100006D13                 movzx   eax, al
__text:0000000100006D16                 mov     al, [rdi+rax]
__text:0000000100006D19                 xor     [rsi], al                                               [2]
__text:0000000100006D1B                 inc     rsi
__text:0000000100006D1E                 inc     cl
__text:0000000100006D20                 dec     edx
__text:0000000100006D22                 jnz     short loc_100006CE2                                     [3]

At the beginning, EDX is being checked against zero, [1], then we subsequently fall into a loop. Some data is then grabbed from the packet structure and used at location [2]. This is XOR'd against user data in an attempt to deobfuscate the packet received. Continuing down a touch further we see an increment to RSI, CL and a decrement to EDX. EDX is then tested against zero and it is clear the loop will continue until EDX reaches zero. This means that the loop will be executed however many times the attacker passed in from the previous function, directly taken from the packet. The code will continue incrementing the packet pointer in RSI, causing a buffer overflow of attacker controlled data and ultimately leading to remote code execution.

Crash Information

./exc_handler ./psnotifyd
2017-01-24 13:18:26.374 psnotifyd[24597:8732293] Notify listening thread started
2017-01-24 13:18:26.375 psnotifyd[24597:8732293] Listening on socket 4
2017-01-24 13:18:26.377 psnotifyd[24597:8732289] CFSocketSetAddress bind failure: 48
2017-01-24 13:18:26.377 psnotifyd[24597:8732289] Telling any existing Notify processes that psnotifyd has started up.
2017-01-24 13:18:36.153 psnotifyd[24597:8732293] New notify connection incoming
2017-01-24 13:18:36.153 psnotifyd[24597:8732293] Spawning a new notify request handler thread
2017-01-24 13:18:36.153 psnotifyd[24597:8732293] Listening on socket 4
2017-01-24 13:18:36.153 psnotifyd[24597:8732519] New request handler thread started
2017-01-24 13:18:36.153 psnotifyd[24597:8732519] I got some stuff goin' on
2017-01-24 13:18:36.157 psnotifyd[24597:8732293] New notify connection incoming
2017-01-24 13:18:36.157 psnotifyd[24597:8732293] Spawning a new notify request handler thread
2017-01-24 13:18:36.157 psnotifyd[24597:8732293] Listening on socket 4
2017-01-24 13:18:36.157 psnotifyd[24597:8732522] New request handler thread started
2017-01-24 13:18:36.157 psnotifyd[24597:8732522] I got some stuff goin' on
2017-01-24 13:18:36.218 psnotifyd[24597:8732519] Exception: *** -[_NSZeroData getBytes:range:]: range {5, 4} exceeds data length 0

Crashed thread log =

0   psnotifyd                       0x0000000100006d19 0x100000000 + 27929
1   psnotifyd                       0x0000000100005e72 0x100000000 + 24178
2   psnotifyd                       0x0000000100005c81 0x100000000 + 23681
3   psnotifyd                       0x0000000100002071 0x100000000 + 8305
4   psnotifyd                       0x0000000100002937 0x100000000 + 10551
5   psnotifyd                       0x0000000100002392 0x100000000 + 9106
6   com.apple.Foundation            0x00007fff89e3de64 __NSThread__start__ + 1351
7   libsystem_pthread.dylib         0x00007fff997ec99d _pthread_body + 131
8   libsystem_pthread.dylib         0x00007fff997ec91a _pthread_start + 168
9   libsystem_pthread.dylib         0x00007fff997ea351 thread_start + 13

log name is: ./crashlogs/overflow.crashlog.txt
---
exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=xorb  %al,(%rsi):instruction_address=0x0000000100006d19:access_type=write:access_address=0x0000000104000000:
Crash accessing invalid address.

Timeline

2017-02-07 - Vendor Disclosure
2017-03-07 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with some of the reversing.