Vulners
Lucene search
EMC NetWorker <= 7.6 sp3 Denial of Service
#######################################################################
Luigi Auriemma
Application: EMC NetWorker (Legato)
http://www.emc.com/backup-and-recovery/networker/networker.htm
Versions: <= 7.6 sp3 (7.6.3.2 Build 860)
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bug: invalid read access
Exploitation: remote
Date: 14 Mar 2012
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC NetWorker backup and recovery software centralizes, automates, and
accelerates data backup and recovery across your IT environment.
NetWorker delivers record-breaking performance and a wide range of data
protection options to safeguard your critical business data."
#######################################################################
======
2) Bug
======
nsrexecd is a service listening on some default ports (like 111, 7937
and 7938) plus another couple of random ones usually over port 8000.
Through a malformed RPC packet sent to one these random ports it's
possible to crash the service due to the hash calculation performed
over an arbitrary amount of data.
From librpc.dll:
0038B3CF 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] ; my_size
0038B3D3 8B6D 00 MOV EBP,DWORD PTR SS:[EBP]
0038B3D6 2BF0 SUB ESI,EAX
0038B3D8 897424 38 MOV DWORD PTR SS:[ESP+38],ESI
0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX] ; size
0038B3DE 8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90]
0038B3E5 2BF0 SUB ESI,EAX ; size - my_size
0038B3E7 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
0038B3EA 50 PUSH EAX
0038B3EB 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0038B3EF 51 PUSH ECX
0038B3F0 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+48]
0038B3F4 52 PUSH EDX
0038B3F5 2BF7 SUB ESI,EDI
0038B3F7 53 PUSH EBX
0038B3F8 897424 54 MOV DWORD PTR SS:[ESP+54],ESI ; the new size
0038B3FC 896C24 50 MOV DWORD PTR SS:[ESP+50],EBP
...
0038AFC5 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0038AFC9 51 PUSH ECX
0038AFCA 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0038AFCE 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0038AFD2 52 PUSH EDX
0038AFD3 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] ; new size
0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX]
0038AFD8 52 PUSH EDX
0038AFD9 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
0038AFDD 51 PUSH ECX
0038AFDE 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20]
0038AFE1 52 PUSH EDX
0038AFE2 8B50 1C MOV EDX,DWORD PTR DS:[EAX+1C]
0038AFE5 51 PUSH ECX
0038AFE6 52 PUSH EDX
0038AFE7 E8 04E3FFFF CALL LIBRPC.cryptoiface_get_hmac ; hash crash
Note: after the crash it's necessary to restart also the other services
so that the situation can return normal and the bug can be tested
again.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nsrexecd_1.dat
http://www.exploit-db.com/sploits/18601.dat
nc SERVER PORT < nsrexecd_1.dat
it's enough to scan all the ports from 8000 to 10000 to catch the
correct one automatically.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1