扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
####################################################################### Luigi Auriemma Application:EMC Data Protection Advisor http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm Versions: <= 5.8.1 Platforms:AIX, HP-UX, Linux, Solaris, Windows Bugs: A] cProcessAuthenticationData NULL pointer B] thread CPU 100% Exploitation: remote Date: 29 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "EMC Data Protection Advisor: Manage service levels, reduce complexity, and eliminate manual efforts with EMC’s powerful data protection management software that automates monitoring, analysis, alerting, and reporting across backup, replication, and virtual environments." ####################################################################### ======= 2) Bugs ======= ------------------------------------------ A] cProcessAuthenticationData NULL pointer ------------------------------------------ The missing password field or an empty password in the AUTHENTICATECONNECTION command required to login leads to a NULL pointer dereference in the DPA_Utilities.cProcessAuthenticationData function: 10042EA0/$ 55 PUSH EBP 10042EA1|. 8BEC MOV EBP,ESP 10042EA3|. 83EC 0CSUB ESP,0C 10042EA6|. A1 B04F0C10MOV EAX,DWORD PTR DS:[100C4FB0] 10042EAB|. 33C5 XOR EAX,EBP 10042EAD|. 8945 FCMOV DWORD PTR SS:[EBP-4],EAX 10042EB0|. 53 PUSH EBX 10042EB1|. 56 PUSH ESI 10042EB2|. 8BF1 MOV ESI,ECX 10042EB4|. 57 PUSH EDI 10042EB5|. 56 PUSH ESI 10042EB6|. E8 93E3FBFFCALL DPA_Util.decodeString 10042EBB|. 8BC8 MOV ECX,EAX 10042EBD|. 83C4 08ADD ESP,8 10042EC0|. 8D59 01LEA EBX,DWORD PTR DS:[ECX+1] 10042EC3|> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer 10042EC5|. 83C1 01|ADD ECX,1 10042EC8|. 84D2 |TEST DL,DL 10042ECA|.^75 F7\JNZ SHORT DPA_Util.10042EC3 ------------------ B] thread CPU 100% ------------------ Endless loop in the DPA_Utilities library while handling the protocol if it's used a negative 64bit size field: 100138FC > 3BF1 CMP ESI,ECX 100138FE . 75 0CJNZ SHORT DPA_Util.1001390C 10013900 . 8B55 E4MOV EDX,DWORD PTR SS:[EBP-1C] 10013903 . 0B55 E8OR EDX,DWORD PTR SS:[EBP-18] 10013906 . 0F84 C1020000JE DPA_Util.10013BCD 1001390C > 2975 DCSUB DWORD PTR SS:[EBP-24],ESI 1001390F . 68 20870910PUSH DPA_Util.10098720; "nsReadRequest" ... 100137F0 > 8B7D 08MOV EDI,DWORD PTR SS:[EBP+8] 100137F3 > 8B75 E4MOV ESI,DWORD PTR SS:[EBP-1C] 100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison 100137FA . 7F 4AJG SHORT DPA_Util.10013846 100137FC . 7C 04JL SHORT DPA_Util.10013802 100137FE . 85F6 TEST ESI,ESI 10013800 . 77 44JA SHORT DPA_Util.10013846 10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison 10013806 . 0F8C 0B040000JL DPA_Util.10013C17 1001380C . 7F 0AJG SHORT DPA_Util.10013818 1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0 10013812 . 0F86 FF030000JBE DPA_Util.10013C17 10013818 > BF 1B700910MOV EDI,DPA_Util.1009701B 1001381D . 33F6 XOR ESI,ESI 1001381F > 33C9 XOR ECX,ECX 10013821 . 894D F4MOV DWORD PTR SS:[EBP-C],ECX 10013824 . 894D F0MOV DWORD PTR SS:[EBP-10],ECX 10013827 . 390B CMP DWORD PTR DS:[EBX],ECX 10013829 . 894D F8MOV DWORD PTR SS:[EBP-8],ECX 1001382C . 894D ECMOV DWORD PTR SS:[EBP-14],ECX 1001382F . 0F84 C7000000JE DPA_Util.100138FC Note that this loop doesn't affect the working of the other connections to the affected service. Both the bugs can be exploited in the following services: - DPA_Controller on port 3916 - DPA_Listener on port 4001 ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/poc/dpa_1.zip dpa_1 SERVER B] http://aluigi.org/testz/udpsz.zip udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1 ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### |
体验盒子
