TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

HP Data Protector Server Cell Manager Remote Code Execution Vulnerability

TPTI-10-01: January 21st, 2010

CVE ID

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4786. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector Server. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the Cell Manager Service which listens by default on TCP port 1030. The vulnerable function copies arbitrary user-supplied data to a fixed length stack buffer via a wcscpy() call. The vulnerable code path is shown below:

crs.exe:
.text:00409B0D case_0x18:
.text:00409B0D lea ecx, [ebp+var_2D28] ; 600 byte stack buffer
.text:00409B13 push ecx
.text:00409B14 call wide_char_copies ; vulnerable function

crs.exe:
.text:0040FC30 wide_char_copies proc near
.text:0040FC30
.text:0040FC30 arg_0 = dword ptr 8
.text:0040FC30
.text:0040FC30 push ebp
.text:0040FC31 mov ebp, esp
.text:0040FC33 call parse_length_specifier
.text:0040FC38 push eax
.text:0040FC39 call ds:_wtoi
.text:0040FC3F add esp, 4
.text:0040FC42 mov ecx, [ebp+arg_0]
.text:0040FC45 mov [ecx], eax
.text:0040FC47 call parse_length_specifier
.text:0040FC4C push eax
.text:0040FC4D call ds:_wtoi
.text:0040FC53 add esp, 4
.text:0040FC56 mov edx, [ebp+arg_0]
.text:0040FC59 mov [edx+4], eax
.text:0040FC5C call parse_length_specifier
.text:0040FC61 push eax
.text:0040FC62 call ds:_wtoi
.text:0040FC68 add esp, 4
.text:0040FC6B mov ecx, [ebp+arg_0]
.text:0040FC6E mov [ecx+8], eax
.text:0040FC71 call parse_length_specifier
.text:0040FC76 push eax
.text:0040FC77 mov edx, [ebp+arg_0]
.text:0040FC7A add edx, 0Ch
.text:0040FC7D push edx
.text:0040FC7E call ds:wcscpy
.text:0040FC84 add esp, 8
.text:0040FC87 call parse_length_specifier
.text:0040FC8C push eax ; attacker's buffer
.text:0040FC8D mov eax, [ebp+arg_0] ; 600 byte stack buffer
.text:0040FC90 add eax, 4Eh
.text:0040FC93 push eax ; dest
.text:0040FC94 call ds:wcscpy ; overflow

In order to reach the string copy function, the buffer must contain opcode 0x18 and valid numbers represented in wide character format to pass the calls to wtoi().

Vendor Response

Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2007-07-09 - Vulnerability reported to vendor
    2010-01-21 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: