CVE-2021-20093: CmLAN Server Unencrypted Message Buffer Over-read
The CodeMeter CmLAN server allows unencrypted messages from remote clients if the message body starts with '\xA2\x05'. When generating a response, the server copies data from a heap-based buffer of 0x100 bytes to an output buffer to be sent in the response. The amount to copy is controlled by the client. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server (i.e., CodeMeter.exe), depending on the size of the message sent to the server.
The following code snippet shows the vulnerability:
[...]
.text:0050FB0B lea eax, [edi+YS0001.buf] ; heap buffer of 0x100 bytes
.text:0050FB0E push [edi+YS0001.bufsz] ; attacker-controlled copy size
.text:0050FB0E ; buffer over-read -> info disclosure or DoS
.text:0050FB11 push eax
.text:0050FB12 lea eax, [ecx+8] ; output buffer in the response
.text:0050FB15 push eax
.text:0050FB16 call _memmove
[...]
The following PoC can be used to disclose heap memory contents:
Proof of Concept
The following PoC can be used to crash the CodeMeter Runtime Server (i.e., CodeMeter.exe):
The following shows the access violation exception caused by the buffer over-read:
CVE-2021-20094: CmWAN Server Unencrypted Message Remote DoS
The CodeMeter CmWAN server allows unencrypted messages from remote clients if the message body starts with '\xA2\x05'. When processing the message, the server calls an invalid C++ virtual function, resulting in an access violation exception leading to process termination. An unauthenticated remote attacker can exploit this issue to crash the CodeMeter Runtime Server (i.e., CodeMeter.exe).
The following code snippet shows the vulnerability:
[...]
.text:004FB799 mov edx, [ebp+pYS0083]
.text:004FB79C xor ecx, ecx
.text:004FB79E add esp, 0Ch
.text:004FB7A1 cmp [ebp+buf.cbData], ecx
.text:004FB7A4 cmovnz ecx, [ebp+buf.pbData]
.text:004FB7A8 mov eax, [edx]
.text:004FB7AA push ecx
.text:004FB7AB mov ecx, edx
.text:004FB7AD mov eax, [eax+28h]
.text:004FB7B0 call eax ; 0095f758 for CmWAN server
[...]
The code calls the virtual function at offset 0x28 of the vftable for class YS0083. However, the DWORD at the offset doesn't point to a function in a code section. Instead it points to somewhere (i.e., 0095f758) in a read-only section that doesn't contain code.
[...]
.rdata:009177BC const YS0076::YS0083::`vftable' dd offset sub_43A3B0
.rdata:009177BC ; DATA XREF: sub_444CB0-B9F9↑o
.rdata:009177BC ; sub_43A3B0+F↑o
.rdata:009177BC ; sub_444CB0+4E↑o
.rdata:009177BC ; sub_465CA0-7C2↑o
.rdata:009177BC ; sub_465780+16↑o
.rdata:009177BC ; sub_4B9D00+156↑o
.rdata:009177BC ; sub_4BA590+68↑o
.rdata:009177BC ; sub_4D50C0+6D↑o
.rdata:009177BC ; sub_4D5270+7D↑o
.rdata:009177BC ; sub_563D60+4E↑o
.rdata:009177BC ; sub_563DD0+53↑o
.rdata:009177C0 dd offset sub_54BA30
.rdata:009177C4 dd offset sub_54B820
.rdata:009177C8 dd offset sub_54B920
.rdata:009177CC dd offset YS0306_decrypt
.rdata:009177D0 dd offset sub_54B430
.rdata:009177D4 dd offset sub_54B710
.rdata:009177D8 dd offset sub_54B550
.rdata:009177DC dd offset sub_54B540
.rdata:009177E0 dd offset sub_54B3E0
.rdata:009177E4 dd 95F758h
[...]
.rdata:0095F758 const YS0063::`RTTI Complete Object Locator' dd 0 ; signature
.rdata:0095F75C dd 0 ; offset of this vtable in complete class (from top)
.rdata:0095F760 dd 0 ; offset of constructor displacement
.rdata:0095F764 dd offset YS0063 `RTTI Type Descriptor' ; reference to type description
.rdata:0095F768 dd offset YS0063::`RTTI Class Hierarchy Descriptor' ; reference to hierarchy description
[...]
The end result is an access violation exception leading to process termination:
Proof of Concept
The following PoC can be used to crash the CodeMeter Runtime Server (i.e., CodeMeter.exe):