Disk Pulse Server GetServerInfo buffer overflow

2010-12-10T00:00:00
ID SAINT:749AEA1ED4ADD4BEBFF67B628759DB33
Type saint
Reporter SAINT Corporation
Modified 2010-12-10T00:00:00

Description

Added: 12/10/2010
BID: 43919

Background

Disk Pulse is a disk change monitoring solution.

Problem

A buffer overflow vulnerability in Disk Pulse Server allows remote attackers to execute arbitrary commands by sending a specially crafted GetServerInfo request to port 9120/TCP.

Resolution

Upgrade to a fixed version when available. Versions 2.2.34 and prior are known to be affected by this vulnerability.

References

<http://secunia.com/advisories/41745>

Limitations

Exploit works on Disk Pulse Server 2.2.34 on Windows Server 2003 SP2 (DEP OptOut) with security updates KB956802 and KB956572.

Platforms

Windows Server 2003