####################################################################### Luigi Auriemma Application: EMC Data Protection Advisor http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm Versions: <= 5.8.1 Platforms: AIX, HP-UX, Linux, Solaris, Windows Bugs: A] cProcessAuthenticationData NULL pointer B] thread CPU 100% Exploitation: remote Date: 29 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "EMC Data Protection Advisor: Manage service levels, reduce complexity, and eliminate manual efforts with EMC’s powerful data protection management software that automates monitoring, analysis, alerting, and reporting across backup, replication, and virtual environments." ####################################################################### ======= 2) Bugs ======= ------------------------------------------ A] cProcessAuthenticationData NULL pointer ------------------------------------------ The missing password field or an empty password in the AUTHENTICATECONNECTION command required to login leads to a NULL pointer dereference in the DPA_Utilities.cProcessAuthenticationData function: 10042EA0 /$ 55 PUSH EBP 10042EA1 |. 8BEC MOV EBP,ESP 10042EA3 |. 83EC 0C SUB ESP,0C 10042EA6 |. A1 B04F0C10 MOV EAX,DWORD PTR DS:[100C4FB0] 10042EAB |. 33C5 XOR EAX,EBP 10042EAD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 10042EB0 |. 53 PUSH EBX 10042EB1 |. 56 PUSH ESI 10042EB2 |. 8BF1 MOV ESI,ECX 10042EB4 |. 57 PUSH EDI 10042EB5 |. 56 PUSH ESI 10042EB6 |. E8 93E3FBFF CALL DPA_Util.decodeString 10042EBB |. 8BC8 MOV ECX,EAX 10042EBD |. 83C4 08 ADD ESP,8 10042EC0 |. 8D59 01 LEA EBX,DWORD PTR DS:[ECX+1] 10042EC3 |> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer 10042EC5 |. 83C1 01 |ADD ECX,1 10042EC8 |. 84D2 |TEST DL,DL 10042ECA |.^75 F7 \JNZ SHORT DPA_Util.10042EC3 ------------------ B] thread CPU 100% ------------------ Endless loop in the DPA_Utilities library while handling the protocol if it's used a negative 64bit size field: 100138FC > 3BF1 CMP ESI,ECX 100138FE . 75 0C JNZ SHORT DPA_Util.1001390C 10013900 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 10013903 . 0B55 E8 OR EDX,DWORD PTR SS:[EBP-18] 10013906 . 0F84 C1020000 JE DPA_Util.10013BCD 1001390C > 2975 DC SUB DWORD PTR SS:[EBP-24],ESI 1001390F . 68 20870910 PUSH DPA_Util.10098720 ; "nsReadRequest" ... 100137F0 > 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 100137F3 > 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C] 100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison 100137FA . 7F 4A JG SHORT DPA_Util.10013846 100137FC . 7C 04 JL SHORT DPA_Util.10013802 100137FE . 85F6 TEST ESI,ESI 10013800 . 77 44 JA SHORT DPA_Util.10013846 10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison 10013806 . 0F8C 0B040000 JL DPA_Util.10013C17 1001380C . 7F 0A JG SHORT DPA_Util.10013818 1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0 10013812 . 0F86 FF030000 JBE DPA_Util.10013C17 10013818 > BF 1B700910 MOV EDI,DPA_Util.1009701B 1001381D . 33F6 XOR ESI,ESI 1001381F > 33C9 XOR ECX,ECX 10013821 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 10013824 . 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 10013827 . 390B CMP DWORD PTR DS:[EBX],ECX 10013829 . 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 1001382C . 894D EC MOV DWORD PTR SS:[EBP-14],ECX 1001382F . 0F84 C7000000 JE DPA_Util.100138FC Note that this loop doesn't affect the working of the other connections to the affected service. Both the bugs can be exploited in the following services: - DPA_Controller on port 3916 - DPA_Listener on port 4001 ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/poc/dpa_1.zip dpa_1 SERVER B] http://aluigi.org/testz/udpsz.zip udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1 ####################################################################### ====== 4) Fix ====== No fix. UPDATE 17 May 2012 Fix released: http://www.securityfocus.com/archive/1/522408 #######################################################################