EMC Data Protection Advisor 5.8.1 Denial of Service

2012.04.22

Credit: Luigi Auriemma

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2012-0406 | CVE-2012-0407

CWE: N/A

#######################################################################

                             Luigi Auriemma

Application:  EMC Data Protection Advisor
              http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions:     <= 5.8.1
Platforms:    AIX, HP-UX, Linux, Solaris, Windows
Bugs:         A] cProcessAuthenticationData NULL pointer
              B] thread CPU 100%
Exploitation: remote
Date:         29 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMC’s powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."


#######################################################################

=======
2) Bugs
=======

------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------

The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:

  10042EA0  /$ 55             PUSH EBP
  10042EA1  |. 8BEC           MOV EBP,ESP
  10042EA3  |. 83EC 0C        SUB ESP,0C
  10042EA6  |. A1 B04F0C10    MOV EAX,DWORD PTR DS:[100C4FB0]
  10042EAB  |. 33C5           XOR EAX,EBP
  10042EAD  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
  10042EB0  |. 53             PUSH EBX
  10042EB1  |. 56             PUSH ESI
  10042EB2  |. 8BF1           MOV ESI,ECX
  10042EB4  |. 57             PUSH EDI
  10042EB5  |. 56             PUSH ESI
  10042EB6  |. E8 93E3FBFF    CALL DPA_Util.decodeString
  10042EBB  |. 8BC8           MOV ECX,EAX
  10042EBD  |. 83C4 08        ADD ESP,8
  10042EC0  |. 8D59 01        LEA EBX,DWORD PTR DS:[ECX+1]
  10042EC3  |> 8A11           /MOV DL,BYTE PTR DS:[ECX]     ; strlen() NULL pointer
  10042EC5  |. 83C1 01        |ADD ECX,1
  10042EC8  |. 84D2           |TEST DL,DL
  10042ECA  |.^75 F7          \JNZ SHORT DPA_Util.10042EC3


------------------
B] thread CPU 100%
------------------

Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:

  100138FC   > 3BF1           CMP ESI,ECX
  100138FE   . 75 0C          JNZ SHORT DPA_Util.1001390C
  10013900   . 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
  10013903   . 0B55 E8        OR EDX,DWORD PTR SS:[EBP-18]
  10013906   . 0F84 C1020000  JE DPA_Util.10013BCD
  1001390C   > 2975 DC        SUB DWORD PTR SS:[EBP-24],ESI
  1001390F   . 68 20870910    PUSH DPA_Util.10098720        ; "nsReadRequest"
  ...
  100137F0   > 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
  100137F3   > 8B75 E4        MOV ESI,DWORD PTR SS:[EBP-1C]
  100137F6   > 837D E8 00     CMP DWORD PTR SS:[EBP-18],0   ; signed comparison
  100137FA   . 7F 4A          JG SHORT DPA_Util.10013846
  100137FC   . 7C 04          JL SHORT DPA_Util.10013802
  100137FE   . 85F6           TEST ESI,ESI
  10013800   . 77 44          JA SHORT DPA_Util.10013846
  10013802   > 837D E0 00     CMP DWORD PTR SS:[EBP-20],0   ; signed comparison
  10013806   . 0F8C 0B040000  JL DPA_Util.10013C17
  1001380C   . 7F 0A          JG SHORT DPA_Util.10013818
  1001380E   . 837D DC 00     CMP DWORD PTR SS:[EBP-24],0
  10013812   . 0F86 FF030000  JBE DPA_Util.10013C17
  10013818   > BF 1B700910    MOV EDI,DPA_Util.1009701B
  1001381D   . 33F6           XOR ESI,ESI
  1001381F   > 33C9           XOR ECX,ECX
  10013821   . 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
  10013824   . 894D F0        MOV DWORD PTR SS:[EBP-10],ECX
  10013827   . 390B           CMP DWORD PTR DS:[EBX],ECX
  10013829   . 894D F8        MOV DWORD PTR SS:[EBP-8],ECX
  1001382C   . 894D EC        MOV DWORD PTR SS:[EBP-14],ECX
  1001382F   . 0F84 C7000000  JE DPA_Util.100138FC

Note that this loop doesn't affect the working of the other connections
to the affected service.


Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener   on port 4001


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/poc/dpa_1.zip

  dpa_1 SERVER

B]
http://aluigi.org/testz/udpsz.zip

  udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

References:

http://www.securityfocus.com/archive/1/522408/30/0/threaded

http://www.exploit-db.com/exploits/18688/

http://aluigi.altervista.org/adv/dpa_1-adv.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

EMC Data Protection Advisor 5.8.1 Denial of Service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.