Openwsman HTTP Basic Auth Overflow

October 2, 2008

Web Services Management (WS-Management) is a specification of a SOAP-based protocol for the management of servers, devices, applications and more. Openwsman, maintained by Intel's Open-Source Technology Center, is a project intended to provide an open-source implementation of the WS-Management and to expose system management information on the Linux operating system.

The openwsman 2.0.0 management service is vulnerable to remote buffer overflow attacks. One of authorization schemes supported by Openwsman is the Basic HTTP authentication. An example of such a request follows:

Authorization: Basic dnJ0OmZvb2Jhcg==

Openwsman decodes and stores the authorization credential to a stack based buffer without performing boundary checks. The buffer has a static size of 4096 bytes. By sending HTTP requests with specially crafted Authorization header value (longer than 5462 bytes), a user without valid login credentials could trigger the buffer overflow. Successful exploitation could lead to execution of arbitrary code on the vulnerable system with the privilege of the openwsman server process.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 2060 Openwsman HTTP Basic Authentication BO Attempt