TippingPoint Digital Vaccine Laboratories

Contact Us

HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability

TPTI-09-15: December 17th, 2009

CVE ID

CVE-2007-2281

Affected Vendors

Hewlett-Packard

Affected Products

OpenView

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4730. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Data Protector. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Database Service, rds.exe, which binds to TCP port 1530. The service receives socket data via _ncp32._NtrpTCPReceiveMsg() in the following format:

[0xB6298C23][4-byte size][....][data]

The specified size parameter is subsequently used as the size parameter to the memory allocation routines _rm32.rm_getMem(). Due to a lack of sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an integer overflow and therefore an under allocated heap buffer. The following excerpt demonstrates this problem:

10004A57 mov eax, [ebp+arg_0] ; specified size
10004A5A add eax, 8 ; integer overflow
10004A5D push eax
10004A5E call ds:__imp__malloc

The original packet data is later written to the under allocated buffer using a size specifier equal to the number of bytes actually received as the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows:

002F2E77 mov eax, [ebp+received_length]
002F2E7A push eax ; size_t
002F2E7B mov ecx, [ebp+received_data]
002F2E7E push ecx ; src
002F2E7F mov edx, [ebp+allocated_buffer]
002F2E82 mov eax, [edx]
002F2E84 push eax ; dst
002F2E85 call _memcpy

This issue can be exploited to overwrite a specified DWORD of memory and further lead to arbitrary code execution.

Vendor Response

Disclosure Timeline

2006-10-10 - Vulnerability reported to vendor
2009-12-17 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Pedram Amini, TippingPoint DVLabs
Anonymous

Published Advisories

TPTI-12-05: Oracle

• published 2012-06-29

TPTI-12-06: Hewlett-Packard

• published 2012-06-29

TPTI-12-04: Samba

• published 2012-06-29

TPTI-12-03: Adobe

• published 2012-04-18

TPTI-12-02: Novell

• published 2012-03-22

Upcoming Advisories

HP

• reported 2013-01-07

HP

• reported 2013-01-07

EMC

• reported 2012-03-14

Novell

• reported 2012-03-14

EMC

• reported 2012-02-22

Blog Entries

Pwn2Own 2013

• 2013-01-17 by Brian Gorenc
• (0 Comments)

2012: Year in Review

• 2013-01-08 by Brian Gorenc
• (0 Comments)

EUSecWest Mobile Pwn2Own 2012 Recap

• 2012-10-05 by Brian Gorenc
• (0 Comments)

Mobile Pwn2Own 2012

• 2012-07-20 by Brian Gorenc
• (0 Comments)

ZDI Update – June 2012

• 2012-06-22 by Assad Khan
• (0 Comments)