#######################################################################

                             Luigi Auriemma

Application:  HP OpenView Performance Agent
              http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-937022
Versions:     coda.exe <= 10.50.190
Platforms:    Windows, Linux, Solaris, HP-UX, AIX
Bug:          stack overflow
Exploitation: remote, versus server
Date:         probably found 01 Jun 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


???


#######################################################################

======
2) Bug
======


ovbbccb.exe is a SYSTEM service running on port 383 and coda.exe is the
service that handles all the HTTP requests for
/Hewlett-Packard/OpenView/Coda/

The function that reads some strings from the CODA protocol uses a
temporary stack buffer of 1024 bytes where is copied the data of the
client trusting a 16bit value that acts as size:

  0043BD40  /$ 81EC 10040000     SUB ESP,410
  0043BD46  |. A1 E4664900       MOV EAX,DWORD PTR DS:[4966E4]
  0043BD4B  |. 33C4              XOR EAX,ESP
  0043BD4D  |. 898424 0C040000   MOV DWORD PTR SS:[ESP+40C],EAX
  0043BD54  |. 8B8424 14040000   MOV EAX,DWORD PTR SS:[ESP+414]
  0043BD5B  |. 53                PUSH EBX
  0043BD5C  |. 56                PUSH ESI
  0043BD5D  |. 57                PUSH EDI
  0043BD5E  |. 8BF9              MOV EDI,ECX
  0043BD60  |. 8D4C24 0C         LEA ECX,DWORD PTR SS:[ESP+C]
  0043BD64  |. 51                PUSH ECX
  0043BD65  |. 8BCF              MOV ECX,EDI
  0043BD67  |. 894424 14         MOV DWORD PTR SS:[ESP+14],EAX
  0043BD6B  |. 8D7424 18         LEA ESI,DWORD PTR SS:[ESP+18]
  0043BD6F  |. E8 3CFEFFFF       CALL coda.0043BBB0             ; get the 16bit size
  0043BD74  |. 0FB75C24 0C       MOVZX EBX,WORD PTR SS:[ESP+C]
  0043BD79  |. 85DB              TEST EBX,EBX
  0043BD7B  |. 76 1C             JBE SHORT coda.0043BD99
  0043BD7D  |. 55                PUSH EBP
  0043BD7E  |. 8DAF B4090000     LEA EBP,DWORD PTR DS:[EDI+9B4]
  0043BD84  |. 8BFB              MOV EDI,EBX
  0043BD86  |> 8BCD              /MOV ECX,EBP                   ; copy
  0043BD88  |. FF15 48544700     |CALL DWORD PTR DS:[<&OvXpl.?ReadUInt8@D>;  OvXpl.?ReadUInt8@DataInputStream_t@OvXplIo@@QBEEXZ
  0043BD8E  |. 8806              |MOV BYTE PTR DS:[ESI],AL
  0043BD90  |. 83C6 01           |ADD ESI,1
  0043BD93  |. 83EF 01           |SUB EDI,1
  0043BD96  |.^75 EE             \JNZ SHORT coda.0043BD86

This function is called by the 0043d600 one which is used in various
places for opcodes like 0x34, 0x8c and so on.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/coda_1.dat

  nc SERVER 383 < coda_1.dat


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-12-114/


#######################################################################