Multiple vulnerabilities in Double-Take 5.0.0.2865

2008.02.26
Credit: Luigi Auriemma
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-0973 | CVE-2008-0974 | CVE-2008-0975 | CVE-2008-0976 | CVE-2008-0977 | CVE-2008-0978 | CVE-2008-0979
CWE: N/A

####################################################################### Luigi Auriemma Application: Double-Take http://www.doubletake.com Versions: <= 5.0.0.2865 (version 4.5.x tested with success too) Platforms: Windows Bugs: A] server termination through "vector<T> too long" exception B] NULL pointer crash C] termination through memory allocation D] informations disclosure E] other exceptions Exploitation: remote Date: 22 Feb 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Double-Take is a disaster recovery and backup software distribuited also under other different names depending by the company which distribuites it like for example HP StorageWorks Storage Mirroring (where version 4.5.0.1629 is vulnerable to a pre-auth buffer overflow). ####################################################################### ======= 2) Bugs ======= ------------------------------------------------------------ A] server termination through "vector<T> too long" exception ------------------------------------------------------------ The Double-Take service can be terminated through an exception raised when the size of a "vector<T>" value is bigger than how much supported. Exist different ways for exploiting this vulnerability anyway the main two arbitrary effects are the "vector<T> too long" exception or CPU at 100%. --------------------- B] NULL pointer crash --------------------- The server can be crashed through malformed packets (like 0x2722 and 0x272a) which cause the access to a NULL pointer. ---------------------------------------- C] termination through memory allocation ---------------------------------------- An error with some packets allows to allocate a partially arbitrary amount of memory with the possibility to crash the process when no additional memory is available. -------------------------- D] informations disclosure -------------------------- The server sends various types of informations to any unauthenticated user, for example the running operating system and the program's paths with packet 0x2728, the ethernet adapters with packet 0x274e, all the partitions and their types of filesystem with packet 0x2726, the printer driver with 0x274f and the latest log entries using packet 0x2757. ------------------- E] other exceptions ------------------- Exist also additional problems mainly exploitable through packet 0x2719 which cause respectively a "ospace/time/src\date.cpp" exception and the recursive calling of a function which fills the available stack and causes the silent termination of the service. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/doubletakedown.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top