exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IRM-tibcodos.txt

IRM-tibcodos.txt
Posted Nov 30, 2007
Authored by Varun Uppal, Andy Davis - IRMPLC | Site irmplc.com

The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which when remotely triggered, prevents any further RV communication until the daemon is manually restarted.

tags | advisory, denial of service, memory leak
SHA-256 | 9b47c3f0d8d8d8e825a8e2b220b2e9cd6cf11eac58883b543d58a90bfff9de2b

IRM-tibcodos.txt

Change Mirror Download
--------------------------------------------------------
IRM Security Advisory 025

TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS

Vulnerability Type / Importance: Remote DoS / High

Problem Discovered: 16 April 2007
Vendor Contacted: 16 April 2007
Advisory Published: 29 November 2007
--------------------------------------------------------
http://www.irmplc.com/index.php/160-Advisory-025
--------------------------------------------------------

Abstract:

The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which
when remotely triggered, prevents any further RV communication until the
daemon is manually restarted.

Description:

The RV daemon (RVD) within TIBCO's Rendezvous messaging product is
responsible for the communication of messages between RV-enabled
applications. The vulnerability exists as the result of an error in the
code that parses information within one of the headers in a TIBCO
proprietary network protocol packet.

Technical Details:

Within a Rendezvous "wire format" TCP packet, the first four bytes
represent the number of bytes of data to expect within the packet, for
example:

"\x00\x00\x00\x7c" //total length of data in packet
"\x99\x55\xee\xaa" // "magic" number
"\x06" // number of following bytes including null
"\x6d\x74\x79\x70\x65\x00" //the text "mtype"
...etc

In the above example the number of data bytes in the packet is "0x7c",
or 124 bytes. If this value is set to zero in a packet sent to the RVD
daemon then it stops responding to all subsequent communication. This
appears to result from a memory leak, which continues to attempt to
allocate memory. Eventually, operating system alert messages start to
appear, warning that the virtual memory in the underlying operating
system is running low.

Vendor & Patch Information:

TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented
as being fixed in the release notes as follows:

1-84MR37 - Fixed a daemon memory growth defect associated with messages
of length zero

Workaround:

There are no known workarounds for this vulnerability

Tested/Affected Versions:

IRM confirmed the presence of this vulnerability in Rendezvous versions
7.5.2, 7.5.3 and 7.5.4

Credits:

Research & Advisory: Varun Uppal and Andy Davis

About IRM:

Information Risk Management Plc (IRM) is a vendor independent
information risk consultancy, founded in 1998. IRM has become a leader
in client side risk assessment, technical level auditing and in the
research and development of security vulnerabilities and tools. IRM is
headquartered in London with Technical Centres in Europe and Asia as
well as Regional Offices in the Far East and North America. Please visit
our website at www.irmplc.com for further information.

Disclaimer:

All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close