#######################################################################
Luigi Auriemma
Application: EMC Data Protection Advisor
http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions: <= 5.8.1
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bugs: A] cProcessAuthenticationData NULL pointer
B] thread CPU 100%
Exploitation: remote
Date: 29 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMC’s powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."
#######################################################################
=======
2) Bugs
=======
------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------
The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:
10042EA0 /$ 55 PUSH EBP
10042EA1 |. 8BEC MOV EBP,ESP
10042EA3 |. 83EC 0C SUB ESP,0C
10042EA6 |. A1 B04F0C10 MOV EAX,DWORD PTR DS:[100C4FB0]
10042EAB |. 33C5 XOR EAX,EBP
10042EAD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
10042EB0 |. 53 PUSH EBX
10042EB1 |. 56 PUSH ESI
10042EB2 |. 8BF1 MOV ESI,ECX
10042EB4 |. 57 PUSH EDI
10042EB5 |. 56 PUSH ESI
10042EB6 |. E8 93E3FBFF CALL DPA_Util.decodeString
10042EBB |. 8BC8 MOV ECX,EAX
10042EBD |. 83C4 08 ADD ESP,8
10042EC0 |. 8D59 01 LEA EBX,DWORD PTR DS:[ECX+1]
10042EC3 |> 8A11 /MOV DL,BYTE PTR DS:[ECX] ; strlen() NULL pointer
10042EC5 |. 83C1 01 |ADD ECX,1
10042EC8 |. 84D2 |TEST DL,DL
10042ECA |.^75 F7 \JNZ SHORT DPA_Util.10042EC3
------------------
B] thread CPU 100%
------------------
Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:
100138FC > 3BF1 CMP ESI,ECX
100138FE . 75 0C JNZ SHORT DPA_Util.1001390C
10013900 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
10013903 . 0B55 E8 OR EDX,DWORD PTR SS:[EBP-18]
10013906 . 0F84 C1020000 JE DPA_Util.10013BCD
1001390C > 2975 DC SUB DWORD PTR SS:[EBP-24],ESI
1001390F . 68 20870910 PUSH DPA_Util.10098720 ; "nsReadRequest"
...
100137F0 > 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
100137F3 > 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C]
100137F6 > 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; signed comparison
100137FA . 7F 4A JG SHORT DPA_Util.10013846
100137FC . 7C 04 JL SHORT DPA_Util.10013802
100137FE . 85F6 TEST ESI,ESI
10013800 . 77 44 JA SHORT DPA_Util.10013846
10013802 > 837D E0 00 CMP DWORD PTR SS:[EBP-20],0 ; signed comparison
10013806 . 0F8C 0B040000 JL DPA_Util.10013C17
1001380C . 7F 0A JG SHORT DPA_Util.10013818
1001380E . 837D DC 00 CMP DWORD PTR SS:[EBP-24],0
10013812 . 0F86 FF030000 JBE DPA_Util.10013C17
10013818 > BF 1B700910 MOV EDI,DPA_Util.1009701B
1001381D . 33F6 XOR ESI,ESI
1001381F > 33C9 XOR ECX,ECX
10013821 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
10013824 . 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
10013827 . 390B CMP DWORD PTR DS:[EBX],ECX
10013829 . 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
1001382C . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
1001382F . 0F84 C7000000 JE DPA_Util.100138FC
Note that this loop doesn't affect the working of the other connections
to the affected service.
Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener on port 4001
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/poc/dpa_1.zip
dpa_1 SERVER
B]
http://aluigi.org/testz/udpsz.zip
udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################