EMC Data Protection Advisor权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121019 漏洞类型 权限许可和访问控制
发布时间 2012-03-31 更新时间 2012-04-23
CVE编号 CVE-2012-0406 CNNVD-ID CNNVD-201204-438
漏洞平台 Hardware CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/18688
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201204-438
|漏洞详情
EMCDataProtectionAdvisor(DPA)5.5至5.8SP1版本中的DPA_Utilities.cProcessAuthenticationData函数中存在漏洞。远程攻击者可利用该漏洞借助(1)缺少密码字段或(2)有一个空密码的AUTHENTICATECONNECTION命令,导致拒绝服务(空指针解引用和守护进程崩溃)。
|漏洞EXP
#######################################################################

                             Luigi Auriemma

Application:  EMC Data Protection Advisor
              http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
Versions:     <= 5.8.1
Platforms:    AIX, HP-UX, Linux, Solaris, Windows
Bugs:         A] cProcessAuthenticationData NULL pointer
              B] thread CPU 100%
Exploitation: remote
Date:         29 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"EMC Data Protection Advisor: Manage service levels, reduce complexity,
and eliminate manual efforts with EMC’s powerful data protection
management software that automates monitoring, analysis, alerting, and
reporting across backup, replication, and virtual environments."


#######################################################################

=======
2) Bugs
=======

------------------------------------------
A] cProcessAuthenticationData NULL pointer
------------------------------------------

The missing password field or an empty password in the
AUTHENTICATECONNECTION command required to login leads to a NULL
pointer dereference in the DPA_Utilities.cProcessAuthenticationData
function:

  10042EA0  /$ 55             PUSH EBP
  10042EA1  |. 8BEC           MOV EBP,ESP
  10042EA3  |. 83EC 0C        SUB ESP,0C
  10042EA6  |. A1 B04F0C10    MOV EAX,DWORD PTR DS:[100C4FB0]
  10042EAB  |. 33C5           XOR EAX,EBP
  10042EAD  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX
  10042EB0  |. 53             PUSH EBX
  10042EB1  |. 56             PUSH ESI
  10042EB2  |. 8BF1           MOV ESI,ECX
  10042EB4  |. 57             PUSH EDI
  10042EB5  |. 56             PUSH ESI
  10042EB6  |. E8 93E3FBFF    CALL DPA_Util.decodeString
  10042EBB  |. 8BC8           MOV ECX,EAX
  10042EBD  |. 83C4 08        ADD ESP,8
  10042EC0  |. 8D59 01        LEA EBX,DWORD PTR DS:[ECX+1]
  10042EC3  |> 8A11           /MOV DL,BYTE PTR DS:[ECX]     ; strlen() NULL pointer
  10042EC5  |. 83C1 01        |ADD ECX,1
  10042EC8  |. 84D2           |TEST DL,DL
  10042ECA  |.^75 F7          \JNZ SHORT DPA_Util.10042EC3


------------------
B] thread CPU 100%
------------------

Endless loop in the DPA_Utilities library while handling the protocol
if it's used a negative 64bit size field:

  100138FC   > 3BF1           CMP ESI,ECX
  100138FE   . 75 0C          JNZ SHORT DPA_Util.1001390C
  10013900   . 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
  10013903   . 0B55 E8        OR EDX,DWORD PTR SS:[EBP-18]
  10013906   . 0F84 C1020000  JE DPA_Util.10013BCD
  1001390C   > 2975 DC        SUB DWORD PTR SS:[EBP-24],ESI
  1001390F   . 68 20870910    PUSH DPA_Util.10098720        ; "nsReadRequest"
  ...
  100137F0   > 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
  100137F3   > 8B75 E4        MOV ESI,DWORD PTR SS:[EBP-1C]
  100137F6   > 837D E8 00     CMP DWORD PTR SS:[EBP-18],0   ; signed comparison
  100137FA   . 7F 4A          JG SHORT DPA_Util.10013846
  100137FC   . 7C 04          JL SHORT DPA_Util.10013802
  100137FE   . 85F6           TEST ESI,ESI
  10013800   . 77 44          JA SHORT DPA_Util.10013846
  10013802   > 837D E0 00     CMP DWORD PTR SS:[EBP-20],0   ; signed comparison
  10013806   . 0F8C 0B040000  JL DPA_Util.10013C17
  1001380C   . 7F 0A          JG SHORT DPA_Util.10013818
  1001380E   . 837D DC 00     CMP DWORD PTR SS:[EBP-24],0
  10013812   . 0F86 FF030000  JBE DPA_Util.10013C17
  10013818   > BF 1B700910    MOV EDI,DPA_Util.1009701B
  1001381D   . 33F6           XOR ESI,ESI
  1001381F   > 33C9           XOR ECX,ECX
  10013821   . 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
  10013824   . 894D F0        MOV DWORD PTR SS:[EBP-10],ECX
  10013827   . 390B           CMP DWORD PTR DS:[EBX],ECX
  10013829   . 894D F8        MOV DWORD PTR SS:[EBP-8],ECX
  1001382C   . 894D EC        MOV DWORD PTR SS:[EBP-14],ECX
  1001382F   . 0F84 C7000000  JE DPA_Util.100138FC

Note that this loop doesn't affect the working of the other connections
to the affected service.


Both the bugs can be exploited in the following services:
- DPA_Controller on port 3916
- DPA_Listener   on port 4001


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/poc/dpa_1.zip

  dpa_1 SERVER

B]
http://aluigi.org/testz/udpsz.zip

  udpsz -c "18446744073709551615/1/UNB" -T SERVER 3916 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
|参考资料

来源:BUGTRAQ
名称:20120418ESA-2012-018:EMCDataProtectionAdvisorMultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/522408/30/0/threaded
来源:EXPLOIT-DB
名称:18688
链接:http://www.exploit-db.com/exploits/18688/
来源:aluigi.altervista.org
链接:http://aluigi.altervista.org/adv/dpa_1-adv.txt
来源:BID
名称:53164
链接:http://www.securityfocus.com/bid/53164
来源:NSFOCUS
名称:19409
链接:http://www.nsfocus.net/vulndb/19409