HP Diagnostics Server magentservice.exe Integer Wrap

2012-01-26T00:00:00
ID SAINT:BC6A289F830FFB1BFC0E0A00A5C37ED3
Type saint
Reporter SAINT Corporation
Modified 2012-01-26T00:00:00

Description

Added: 01/26/2012
CVE: CVE-2011-4789
BID: 51398
OSVDB: 78309

Background

HP Diagnostics software monitors application transaction health in traditional, virtualized and cloud environments.

Problem

A vulnerability exists in the way the magentservice.exe service handles network requests. Subtraction is applied to part of the packet to determine how much memory to allocate. If a message is crafted such that an integer wrap occurs during this subtraction, a stack overflow may occur, which may allow an attacker to gain execution control.

Resolution

A patch is not available at the time of publication. Limit access to TCP port 23472.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-016/>

Limitations

This exploit has been tested against HP Diagnostics Server 9.10 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802.

Exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>.

Platforms

Windows