CVE-2020-8688
A remote, exploitable denial-of-service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can lead to a null pointer dereference in the Intel Raid Web Console server. This would result in a denial of service until the user restarts LSA.exe. A remote unauthenticated attacker can send a POST request to trigger this vulnerability.
Intel Raid Web Console 3 v007.009.011.000
Intel Raid Web Console 3 Download
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-476: NULL Pointer Dereference
Intel RAID Web Console 3 (RWC3) software is a web-based application that monitors, maintains, troubleshoots and configures functions for Intel RAID products. The RWC3 graphical user interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.
The modules involved in this vulnerability are:
Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\PluginManager.dll
Image name: PluginManager.dll
Browse all global symbols functions data
Timestamp: Fri Jan 11 00:57:22 2019 (5C385A72)
CheckSum: 006A30EA
ImageSize: 006A5000
File version: 7.9.11.0
Product version: 7.9.11.0
Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\HTTP.dll
Image name: HTTP.dll
Browse all global symbols functions data
Timestamp: Fri Jan 11 00:10:36 2019 (5C384F7C)
CheckSum: 00039A00
ImageSize: 00032000
File version: 7.9.11.0
Product version: 7.9.11.0
One of the features of Intel RAID web API is the ability to add servers to the product for monitoring. One example of the parameters for this endpoint responsible for adding servers is:
{"action":"ADD", "parameters":{"server":"/lsi/storage/mr/api/1.0/servers/192.168.31.1"}}
In this case, the /api/1.0/servers in the server parameter assumes that there is already an active session with the client and the application will use this session to query for the asked server of 192.168.31.1. With this active session, the cookie for this session is queried.
PluginManager+0x3bdad6
.text:003BDAD6 mov edx, [eax]
.text:003BDAD8 mov ecx, eax
.text:003BDADA mov eax, [edx+30h]
.text:003BDADD call eax ; Call to http::FCGIHTTPCommand::getSessionCookie
The session ID is then retrieved from the newly received SessionCookie object.
PluginManager+0x3bdadf
.text:003BDADF mov ecx, eax ; this
.text:003BDAE1 call ?getSessionId@SessionCookie@http@@QBEABVSessionID@2@XZ ; http::SessionCookie::getSessionId(void)
HTTP+0x17540
.text:00017540 lea eax, [ecx+74h]
.text:00017543 retn
The original session is returned by looking for a cookie called SESSIONID [0]. If this cookie is not found, the session returns as zero [1].
.text:00008BD6 mov ecx, [edi+58h]
.text:00008BD9 sub ecx, [edi+54h]
.text:00008BDC sar ecx, 2
.text:00008BDF cmp ebp, ecx
.text:00008BE1 jb short loc_8BE9
.text:00008BE3 call ds:_invalid_parameter_noinfo
.text:00008BE9
.text:00008BE9 mov edx, [edi+54h]
.text:00008BEC mov ebx, [edx+ebp*4]
.text:00008BEF mov eax, [ebx]
.text:00008BF1 mov edx, [eax+4]
.text:00008BF4 mov ecx, ebx
.text:00008BF6 call edx
.text:00008BF8 test eax, eax
.text:00008BFA jnz short loc_8C23
.text:00008BFC mov eax, offset aHttpCookieGetN ; "http::Cookie::get_name"
.text:00008C01 lea esi, [esp+0D8h+var_C8]
.text:00008C05 call sub_3070
.text:00008C0A mov ecx, esi ; this
.text:00008C0C call ??1formatted_log_t@utils@@UAE@XZ ; utils::formatted_log_t::~formatted_log_t(void)
.text:00008C11 push offset aSessionid ; "SESSIONID" ; [0]
.text:00008C16 lea ecx, [ebx+4]
.text:00008C19 call ds:?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z
.text:00008C1F test eax, eax
.text:00008C21 jz short loc_8C3B
.text:00008C23
.text:00008C23 mov eax, [edi+58h]
.text:00008C26 sub eax, [edi+54h]
.text:00008C29 inc ebp
.text:00008C2A sar eax, 2
.text:00008C2D cmp ebp, eax
.text:00008C2F jb short loc_8BD6
.text:00008C31
.text:00008C31 xor eax, eax ; [1]
.text:00008C33 pop edi
.text:00008C34 pop esi
.text:00008C35 pop ebp
.text:00008C36 pop ebx
.text:00008C37 mov esp, ebp
.text:00008C39 pop ebp
.text:00008C3A retn
When the non-existent session cookie is attempted to be parsed, the small offset from null is dereferenced instead, causing a null pointer. This causes the server to crash and results in a denial of service.
0:010> g
eax=00000000 ebx=02b1b2e8 ecx=02b1b2e8 edx=005d0000 esi=02b1b2e8 edi=00000074
eip=6fd7633a esp=02b1b190 ebp=02b1b19c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x10:
6fd7633a 394714 cmp dword ptr [edi+14h],eax ds:002b:00000088=????????
2019-10-28 - Initial contact
2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference
2019-11-19 - Vendor requested disclosure extension for March timeline
2020-03-10 - Vendor confirmed mitigations
2020-03-24 - Public Release
Discovered by Geoff Serrao and Cory Duplantis of Cisco Talos.