EMC NetWorker 7.6 sp3 - Denial of Service

EDB-ID:

18601

CVE:





Platform:

Multiple

Date:

2012-03-14


#######################################################################

                             Luigi Auriemma

Application:  EMC NetWorker (Legato)
              http://www.emc.com/backup-and-recovery/networker/networker.htm
Versions:     <= 7.6 sp3 (7.6.3.2 Build 860)
Platforms:    AIX, HP-UX, Linux, Solaris, Windows
Bug:          invalid read access
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"EMC NetWorker backup and recovery software centralizes, automates, and
accelerates data backup and recovery across your IT environment.
NetWorker delivers record-breaking performance and a wide range of data
protection options to safeguard your critical business data."


#######################################################################

======
2) Bug
======


nsrexecd is a service listening on some default ports (like 111, 7937
and 7938) plus another couple of random ones usually over port 8000.

Through a malformed RPC packet sent to one these random ports it's
possible to crash the service due to the hash calculation performed
over an arbitrary amount of data.

From librpc.dll:

  0038B3CF   8B4424 3C        MOV EAX,DWORD PTR SS:[ESP+3C]     ; my_size
  0038B3D3   8B6D 00          MOV EBP,DWORD PTR SS:[EBP]
  0038B3D6   2BF0             SUB ESI,EAX
  0038B3D8   897424 38        MOV DWORD PTR SS:[ESP+38],ESI
  0038B3DC   8B33             MOV ESI,DWORD PTR DS:[EBX]        ; size
  0038B3DE   8B9C24 90000000  MOV EBX,DWORD PTR SS:[ESP+90]
  0038B3E5   2BF0             SUB ESI,EAX                       ; size - my_size
  0038B3E7   8B43 10          MOV EAX,DWORD PTR DS:[EBX+10]
  0038B3EA   50               PUSH EAX
  0038B3EB   8D4C24 3C        LEA ECX,DWORD PTR SS:[ESP+3C]
  0038B3EF   51               PUSH ECX
  0038B3F0   8D5424 48        LEA EDX,DWORD PTR SS:[ESP+48]
  0038B3F4   52               PUSH EDX
  0038B3F5   2BF7             SUB ESI,EDI
  0038B3F7   53               PUSH EBX
  0038B3F8   897424 54        MOV DWORD PTR SS:[ESP+54],ESI     ; the new size
  0038B3FC   896C24 50        MOV DWORD PTR SS:[ESP+50],EBP
  ...
  0038AFC5   8D4C24 0C        LEA ECX,DWORD PTR SS:[ESP+C]
  0038AFC9   51               PUSH ECX
  0038AFCA   8B4C24 1C        MOV ECX,DWORD PTR SS:[ESP+1C]
  0038AFCE   8D5424 0C        LEA EDX,DWORD PTR SS:[ESP+C]
  0038AFD2   52               PUSH EDX
  0038AFD3   8B51 04          MOV EDX,DWORD PTR DS:[ECX+4]      ; new size
  0038AFD6   8B09             MOV ECX,DWORD PTR DS:[ECX]
  0038AFD8   52               PUSH EDX
  0038AFD9   8B5424 2C        MOV EDX,DWORD PTR SS:[ESP+2C]
  0038AFDD   51               PUSH ECX
  0038AFDE   8B48 20          MOV ECX,DWORD PTR DS:[EAX+20]
  0038AFE1   52               PUSH EDX
  0038AFE2   8B50 1C          MOV EDX,DWORD PTR DS:[EAX+1C]
  0038AFE5   51               PUSH ECX
  0038AFE6   52               PUSH EDX
  0038AFE7   E8 04E3FFFF      CALL LIBRPC.cryptoiface_get_hmac  ; hash crash

Note: after the crash it's necessary to restart also the other services
so that the situation can return normal and the bug can be tested
again.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/nsrexecd_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18601.dat

  nc SERVER PORT < nsrexecd_1.dat

it's enough to scan all the ports from 8000 to 10000 to catch the
correct one automatically.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################