TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs team members gave 20 presentations throughout 2010. Abstracts and slides are available here.

HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability

TPTI-09-15: December 17th, 2009

CVE ID

Affected Vendors

Affected Products

    OpenView

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4730. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Data Protector. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Database Service, rds.exe, which binds to TCP port 1530. The service receives socket data via _ncp32._NtrpTCPReceiveMsg() in the following format:

[0xB6298C23][4-byte size][....][data]

The specified size parameter is subsequently used as the size parameter to the memory allocation routines _rm32.rm_getMem(). Due to a lack of sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an integer overflow and therefore an under allocated heap buffer. The following excerpt demonstrates this problem:

10004A57 mov eax, [ebp+arg_0] ; specified size
10004A5A add eax, 8 ; integer overflow
10004A5D push eax
10004A5E call ds:__imp__malloc

The original packet data is later written to the under allocated buffer using a size specifier equal to the number of bytes actually received as the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows:

002F2E77 mov eax, [ebp+received_length]
002F2E7A push eax ; size_t
002F2E7B mov ecx, [ebp+received_data]
002F2E7E push ecx ; src
002F2E7F mov edx, [ebp+allocated_buffer]
002F2E82 mov eax, [edx]
002F2E84 push eax ; dst
002F2E85 call _memcpy

This issue can be exploited to overwrite a specified DWORD of memory and further lead to arbitrary code execution.

Vendor Response

Disclosure Timeline

    2006-10-10 - Vulnerability reported to vendor
    2009-12-17 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: