EMC NetWorker 7.6 sp3 – Denial of Service - 体验盒子

作者： Luigi Auriemma
日期： 2012-03-14
类别：
dos
平台：
multiple
来源：https://www.exploit-db.com/exploits/18601/
#######################################################################

 Luigi Auriemma

Application:EMC NetWorker (Legato)
http://www.emc.com/backup-and-recovery/networker/networker.htm
Versions: <= 7.6 sp3 (7.6.3.2 Build 860)
Platforms:AIX, HP-UX, Linux, Solaris, Windows
Bug:invalid read access
Exploitation: remote
Date: 14 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"EMC NetWorker backup and recovery software centralizes, automates, and
accelerates data backup and recovery across your IT environment.
NetWorker delivers record-breaking performance and a wide range of data
protection options to safeguard your critical business data."


#######################################################################

======
2) Bug
======


nsrexecd is a service listening on some default ports (like 111, 7937
and 7938) plus another couple of random ones usually over port 8000.

Through a malformed RPC packet sent to one these random ports it's
possible to crash the service due to the hash calculation performed
over an arbitrary amount of data.

From librpc.dll:

0038B3CF 8B4424 3CMOV EAX,DWORD PTR SS:[ESP+3C] ; my_size
0038B3D3 8B6D 00MOV EBP,DWORD PTR SS:[EBP]
0038B3D6 2BF0 SUB ESI,EAX
0038B3D8 897424 38MOV DWORD PTR SS:[ESP+38],ESI
0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX]; size
0038B3DE 8B9C24 90000000MOV EBX,DWORD PTR SS:[ESP+90]
0038B3E5 2BF0 SUB ESI,EAX ; size - my_size
0038B3E7 8B43 10MOV EAX,DWORD PTR DS:[EBX+10]
0038B3EA 50 PUSH EAX
0038B3EB 8D4C24 3CLEA ECX,DWORD PTR SS:[ESP+3C]
0038B3EF 51 PUSH ECX
0038B3F0 8D5424 48LEA EDX,DWORD PTR SS:[ESP+48]
0038B3F4 52 PUSH EDX
0038B3F5 2BF7 SUB ESI,EDI
0038B3F7 53 PUSH EBX
0038B3F8 897424 54MOV DWORD PTR SS:[ESP+54],ESI ; the new size
0038B3FC 896C24 50MOV DWORD PTR SS:[ESP+50],EBP
...
0038AFC5 8D4C24 0CLEA ECX,DWORD PTR SS:[ESP+C]
0038AFC9 51 PUSH ECX
0038AFCA 8B4C24 1CMOV ECX,DWORD PTR SS:[ESP+1C]
0038AFCE 8D5424 0CLEA EDX,DWORD PTR SS:[ESP+C]
0038AFD2 52 PUSH EDX
0038AFD3 8B51 04MOV EDX,DWORD PTR DS:[ECX+4]; new size
0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX]
0038AFD8 52 PUSH EDX
0038AFD9 8B5424 2CMOV EDX,DWORD PTR SS:[ESP+2C]
0038AFDD 51 PUSH ECX
0038AFDE 8B48 20MOV ECX,DWORD PTR DS:[EAX+20]
0038AFE1 52 PUSH EDX
0038AFE2 8B50 1CMOV EDX,DWORD PTR DS:[EAX+1C]
0038AFE5 51 PUSH ECX
0038AFE6 52 PUSH EDX
0038AFE7 E8 04E3FFFFCALL LIBRPC.cryptoiface_get_hmac; hash crash

Note: after the crash it's necessary to restart also the other services
so that the situation can return normal and the bug can be tested
again.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/nsrexecd_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18601.dat

nc SERVER PORT < nsrexecd_1.dat

it's enough to scan all the ports from 8000 to 10000 to catch the
correct one automatically.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################