Complex Password vs. Buffer Overflow? And the winner is…
NOTE: After some further discussions with the vendor, it turned out the vulnerability is not a Buffer Overflow vulnerability but weak Exception Handling design. I leave the rest of of the article as it is, because the results, risks and implications are still the same and would be quite similar to a BO vulnerability that doesn’t lead to RCE.
For me, hacking is comparable to gaming. You face certain challenges such as a final boss or a puzzle that needs to be solved. If the most obvious approaches don’t work right away, you have to develop new strategies and try things out to achieve the goal. The more difficult the final boss, the greater the satisfaction and gratification after a victory.
It’s similar with hacking: you check a mostly unknown system (the final boss) for security gaps (the weaknesses). Through a lot of research (studying attack patterns) and trial and error, you find vulnerabilities and learn to exploit them. With each vulnerability found, the system becomes easier to compromise and ultimately (hopefully) bring under control.
Due to time and cost reasons, systems are first tested for known vulnerabilities because these are documented and exploits are often available for them. If you then find vulnerabilities that can be exploited, that is very satisfying from a pentester’s perspective. But when you uncover undocumented security gaps (first?), it’s a completely different feeling…
First Things First
One of our clients hired us to attack mobile devices from a hacker’s perspective. The aim was to compromise the devices so that the sensitive company data stored on them could be accessed.
The devices were a tablet and a cell phone with an MDM agent installed and a kiosk application (details in the next section). The purpose of these devices is to provide users with only a handful of apps that are used during daily work. Users should not be able to make system settings or install additional apps.
If you are familiar with the terms mentioned so far and are familiar with buffer overflows, you can jump directly to the “Proof-of-Concept” section below.
What is an MDM agent?
An MDM (Mobile Device Management) agent is a software application used in mobile device management. These agents are often installed on mobile devices such as smartphones and tablets to enable management, monitoring, security and configuration of these devices through a central management platform.
The use of MDM agents is particularly widespread in businesses, educational institutions and other organizations to ensure the management and security of data stored on the devices and increase user productivity.
What is a kiosk application?
A kiosk application on mobile devices such as tablets is an application designed to transform the device into an interactive and controlled information or presentation point.
Examples of the use of kiosk apps include interactive information terminals, point-of-sale (POS) systems, digital menus, digital signage or even parental control apps that restrict access to certain apps and content for children.
What are buffer overflows?
A buffer overflow is like an overfilled bucket. Imagine you have a bucket that can only hold a certain amount of water. If you pour more water than the bucket can hold, the water will overflow and unwanted things will happen, such as damaging nearby electronic devices.
In the computer world, a buffer overflow is similar. When a computer program puts data into a memory area (the “bucket”), it can end up storing more data there than it has space for. As a result, this extra data could mess up or damage other things in the computer because it is stored outside of its allotted space .
This is a problem because people with the right know-how can exploit this to do unwanted things by intentionally pushing too much data into one memory area. The effects of such an attack are diverse. Most of the time a program simply crashes, but in the worst case, code execution (RCE) occurs, which results in the system being compromised.
Proof of concept
The following proof-of-concept describes how to find the security vulnerability in the “Baramundi EMM Agent” and how to exploit it. Possible effects and risks are discussed afterwards. For the sake of simplicity, only images are shown on one of the two devices (mobile phone). However, all of the experiments carried out could also be carried out on the tablet in the same or very similar way.
The first step is to find out what a user can do with the device and what permissions they have.
The obvious thing to do is to first open the available apps to check what they allow. The kiosk app already prevents access to most apps.
You can access the log entries directly in the Baramundi app (baramundi EMM Agent). The information in this log is partly very informative and includes, among other things, the key combination for entering the password to activate the administrator mode. The fact that the Baramundi app was made accessible in the kiosk app later turned out to be a configuration error and was immediately corrected by the client.
Other useful information contained in the log includes the password hash for activating administrator mode and the address of the server from which the device is managed.
The key combination mentioned above is important to know because it opens the door to almost all settings on the device. So if the password for the admin prompt is known, you get administrator rights.
In our case, it was a complex password that could not be easily guessed. Trying out lots of simple passwords also turned out to be inefficient because of the incrementally increasing timeout.
If you have a little programming experience, you know that all values are stored in variables. These variables are often assigned certain memory sizes, which means that an unlimited number of characters cannot be stored in a variable. For example, if the variable “Name” cannot contain more than 30 characters, then this should be prevented on the front and back end. If no measures are taken in this regard, unexpected things often happen in an app (see the “Buffer Overflows” section).
Back to our example. My assumption was the following: Since the password entry for admin rights is “hidden” and is only used in rare cases, it can be assumed that when programming this part of the code was not given the same attention as the rest. Bugs become finally discovered and reported for program functions that are used more frequently.
After some trial and error, it became clear that a password longer than 71 characters would cause the Kiosk and Baramundi apps to crash. If you pull down the menu from the top with the right timing , settings that were previously inaccessible suddenly become available. The Baramundi app starts again immediately — but the kiosk app remains closed until you navigate back to the main menu.
The recording below shows that initially no settings are visible when swiping down. After entering a long password (more than 71 characters), the quick menu items can be called up. The Baramundi warning window also pops up briefly, but that doesn’t stop you from accessing the settings.
The best way to achieve the correct timing was to press the device buttons. The most promising method has proven to be the “Openend Apps” button, which displays a list of all open apps. If you press it at the right moment (several times), the device remains in the current view and you can call up other menu items and apps at your leisure without reverting to the more “restrictive” state.
It is very likely that if you enter a password that is too long (>71 characters), the buffer will be overwritten with the 72nd, 73rd, 74th, etc. and end up in an unallocated memory area (see section “What are buffer overflows? “). This leads to the Baramundi agent crashing, which restarts shortly afterwards — although not completely. At least some of the previously blocked settings are available after the crash.
Impact and risks
Exploiting the vulnerability was tested on two devices, each with different Baramundi EMM Agent versions (in brackets):
- Lenovo TB-X606X (v22.2.190)
- Samsung Xcover 4s (v23.1.50)
The potential impacts are diverse. For example, Bluetooth or NFC could be activated or Android’s Nearby Share to send or receive files. Android “Smart View” can also be used to mirror the display or customize the shortcut menus (Android calls them “panels”).
Via the Google Play Store, which can be added and opened via the panels, it is possible, for example, to install apps or play the pre-installed hot air balloon game (as long as there is no network connection). However, the subsequently installed apps can only be executed if the Baramundi Agent also allows the respective apps and therefore depends on the respective policy applied.
The fact that Microsoft Teams could be installed was also quite practical. However, this was only possible because the app was approved by the administrator and has nothing to do with the vulnerability per se. Which means I could take the screenshots to create the documentation directly on the device.
Even if the risks mentioned do not seem to be very critical at first, the crash of the Baramundi EMM agent still leads to a certain degree of privilege escalation.
Resetting the password entry timer also confirms that the agent will be reinitialized after the crash, which also makes guessing the password much easier.
Since the tested devices are client property and the time for the assessment was limited, we decided to submit our investigations to the manufacturer with the current state of knowledge.
The CVSS score v4.0 for this vulnerability is 5.2 (Medium):
The associated CVE number is CVE-2023–37605. The associated CVE entry in the database is already released.
Other potential vulnerabilities?
Another potential vulnerability (race condition) was not yet clear at the time of writing this article whether it was actually a security hole or a lack of configuration settings or whether the results were device-specific and did not occur on other hardware.
The possible impact could be that additional settings can be accessed and changed directly from the Settings menu. The difference from the previous vulnerability is that not only the quick menu settings can be accessed.
Baramundi is currently still investigating the behavior. Once the cause of the issue is identified and a fix is provided, I will update the article accordingly.
Credits
For us as mindsetters, this assessment was once again proof of how important Pentesting is. You can’t always rely on well-patched software products — whose developers often do really good work. Programmers are under the same pressure to perform as we all are, and just like in a non-digital job, small mistakes can have big consequences. Mistakes will always happen, and artificial intelligence and blockchains won’t change that. Therefore: Even if you have well-functioning patch management in your own company, you should always check business-critical applications “manually” (or let them check).
Finally, I would like to thank Baramundi for the excellent and uncomplicated communication. Software manufacturers are rarely so responsive and provide a fix for the vulnerability after just 4 days. The fixed version is EMM Agent v23.1.171.
I would also like to thank our clients. Without the trust and the great collaboration, such work would not have been possible.
If you would also like to subject the products you use to a stress test, please arrange a free initial consultation with us.
Timeline and Communication
- August 14, 2023 — First contact with Baramundi (email)
- August 21, 2023 — Baramundi confirms the vulnerability
- August 25, 2023 — Baramundi releases fix for buffer overflow vulnerability (EMM Agent v23.1.171)
- August 25, 2023 — Another vulnerability reported (Racing Condition)
- September 1, 2023 — Baramundi validates legitimacy of RC vulnerability
- TBC
