CVE-2021-1390 - Write-what-where Condition

Severity

67%

Complexity

8%

Confidentiality

98%

A vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker would need to have valid user credentials at privilege level 15. This vulnerability exists because the affected software permits modification of the run-time memory of an affected device under specific circumstances. An attacker could exploit this vulnerability by authenticating to the affected device and issuing a specific diagnostic test command at the CLI. A successful exploit could trigger a logic error in the code that was designed to restrict run-time memory modifications. The attacker could take advantage of this logic error to overwrite system memory locations and execute arbitrary code on the underlying Linux operating system (OS) of the affected device.

CVSS 3.1 Base Score 6.7. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Write-what-where Condition

CWE-123

The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code:


               
}
free(buf2);

Vulnerability in this case is dependent on memory layout. The call to strcpy() can be used to write past the end of buf1, and, with a typical layout, can overwrite the accounting information that the system keeps for buf2 when it is allocated. Note that if the allocation header for buf2 can be overwritten, buf2 itself can be overwritten as well.

The allocation header will generally keep a linked list of memory "chunks". Particularly, there may be a "previous" chunk and a "next" chunk. Here, the previous chunk for buf2 will probably be buf1, and the next chunk may be null. When the free() occurs, most memory allocators will rewrite the linked list using data from buf2. Particularly, the "next" chunk for buf1 will be updated and the "previous" chunk for any subsequent chunk will be updated. The attacker can insert a memory address for the "next" chunk and a value to write into that memory address for the "previous" chunk.

This could be used to overwrite a function pointer that gets dereferenced later, replacing it with a memory address that the attacker has legitimate access to, where they have placed malicious code, resulting in arbitrary code execution.

Overview

Type

Cisco IOS

First reported 4 years ago

2021-03-24 20:15:00

Last updated 4 years ago

2021-03-30 13:13:00

Affected Software

Cisco IOS XE 16.8.1A

16.8.1a

Cisco IOS XE 16.8.1B

16.8.1b

Cisco IOS XE 16.8.1C

16.8.1c

Cisco IOS XE 16.8.1D

16.8.1d

Cisco IOS XE 16.8.1E

16.8.1e

Cisco IOS XE 16.8.1S

16.8.1s

Cisco IOS XE 16.8.2

16.8.2

Cisco IOS XE 16.8.3

16.8.3

Cisco IOS XE16.9.1

16.9.1

Cisco IOS XE 16.9.1A

16.9.1a

Cisco IOS XE 16.9.1B

16.9.1b

Cisco IOS XE 16.9.1C

16.9.1c

Cisco IOS XE 16.9.1D

16.9.1d

Cisco IOS XE 16.9.1S

16.9.1s

Cisco IOS XE 16.9.2

16.9.2

Cisco IOS XE 16.9.2A

16.9.2a

Cisco IOS XE 16.9.2S

16.9.2s

Cisco IOS XE 16.9.3

16.9.3

Cisco IOS XE 16.9.3A

16.9.3a

Cisco IOS XE 16.9.3H

16.9.3h

Cisco IOS XE 16.9.3S

16.9.3s

Cisco IOS XE 16.9.4C

16.9.4c

Cisco IOS XE 16.9.5

16.9.5

Cisco IOS XE 16.9.5F

16.9.5f

Cisco IOS XE 16.10.1

16.10.1

Cisco IOS XE 16.10.1A

16.10.1a

Cisco IOS XE 16.10.1B

16.10.1b

Cisco IOS XE 16.10.1C

16.10.1c

Cisco IOS XE 16.10.1D

16.10.1d

Cisco IOS XE 16.10.1E

16.10.1e

Cisco IOS XE 16.10.1F

16.10.1f

Cisco IOS XE 16.10.1G

16.10.1g

Cisco IOS XE 16.10.1S

16.10.1s

Cisco IOS XE 16.10.2

16.10.2

Cisco IOS XE 16.10.3

16.10.3

Cisco IOS XE 16.11.1

16.11.1

Cisco IOS XE 16.12.1

16.12.1

Cisco IOS XE 16.12.1Y

16.12.1y

Cisco IOS XE 16.12.2

16.12.2

Cisco IOS XE 16.12.2A

16.12.2a

Cisco IOS XE 16.12.4

16.12.4

Cisco IOS XE 17.1.1

17.1.1

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.