CVE: CVE-2020-1664

Tested Versions:

  • Junos OS 20.1R1.11

Product URL(s):

Description of the vulnerability

dcd is device control daemon and is running as root by default when the device starts. This daemon has a stack buffer overflow vulnerability that allows an attacker with low privilege to DOS the daemon or execute arbitrary code in the system with root privilege.

The vulnerability exists in create_debug_data() function:

FILE *create_debug_data()
{
  char v13; // [esp+3h] [ebp-51h]
  result = fopen("/var/tmp/dcd_debug.txt", "r");
  v1 = result;
  ifd_list_head = 0;
  if ( result )
  {
    dcd_global_dump_flag = 1;
    if ( fscanf(result, "%s", &v13) == 1 )
    {
      v15 = 0;
      stream = v1;
      do
      {
        dcd_print_i(
          8,
          "%u %s:%d %s() %s : Adding Interface %s to debug list",
          gDcdPid,
          "dcd.c",
          4770,
          "create_debug_data",
          szSev[0],
          &v13);
...

The buffer overflow vulnerability is caused by reading content in /var/tmp/dcd_debug.txt to a stack-based buffer. With the low privilege user, an attacker could put the long string to /var/tmp/dcd_debug.txt file to trigger the vulnerability.

The exploitation

The vulnerable function is called when the daemon started, so we will need to restart the daemon or reboot the router in order to trigger the vulnerability.

Summary, in order to exploit this vulnerability, there are two possible scenarios.

  • An attacker has a user with privilege at least “maintenance”. With the “maintenance” privilege, after put long “aaaa” string to “/var/tmp/dcd_debug” file, an attacker can run request system process terminate <pid> with pid of dcd daemon to restart the dcd daemon and trigger the vulnerability.

    PoC1

  • An attacker only have user with no privilege (read-only class privilege) With no privilege user, an attacker creates file using file copy command to fetch file from internet and wait for system reboot to trigger the vulnerability.

    PoC2

    For ease of visualization, we simulate a reboot of the router by re-starting the dcd daemon by root user. After triggering the vulnerability, the dcd daemon crash. We can demonstrate this by showing ps tree and the core dump file of dcd in /var/tmp directory.

Timeline:

  • 2020-06-12 Reported to Vendor, Vendor acknowledged on same day
  • 2020-10-14 Vendor patched the vulnerability