exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HP OpenView Data Protector Cell Manager Heap Overflow

HP OpenView Data Protector Cell Manager Heap Overflow
Posted Dec 21, 2009
Authored by Pedram Amini | Site dvlabs.tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Cell Manager Database Service, rds.exe, which binds to TCP port 1530.

tags | advisory, remote, arbitrary, tcp
advisories | CVE-2007-2281
SHA-256 | b35ddf22dfed2acfe23b890459bbb716db5b8a870f760c3daf55fac1b650ebad

HP OpenView Data Protector Cell Manager Heap Overflow

Change Mirror Download
TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-09-15
December 17, 2009

-- CVE ID:
CVE-2007-2281

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard OpenView

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 4730.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard OpenView Data Protector.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Database Service,
rds.exe, which binds to TCP port 1530. The service receives socket data
via _ncp32._NtrpTCPReceiveMsg() in the following format:

[0xB6298C23][4-byte size][....][data]

The specified size parameter is subsequently used as the size parameter
to the memory allocation routines _rm32.rm_getMem(). Due to a lack of
sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an
integer overflow and therefore an under allocated heap buffer. The
following excerpt demonstrates this problem:

10004A57 mov eax, [ebp+arg_0] ; specified size
10004A5A add eax, 8 ; integer overflow
10004A5D push eax
10004A5E call ds:__imp__malloc

The original packet data is later written to the under allocated buffer
using a size specifier equal to the number of bytes actually received as
the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows:

002F2E77 mov eax, [ebp+received_length]
002F2E7A push eax ; size_t
002F2E7B mov ecx, [ebp+received_data]
002F2E7E push ecx ; src
002F2E7F mov edx, [ebp+allocated_buffer]
002F2E82 mov eax, [edx]
002F2E84 push eax ; dst
002F2E85 call _memcpy

This issue can be exploited to overwrite a specified DWORD of memory and
further lead to arbitrary code execution.

-- Vendor Response:


-- Disclosure Timeline:
2006-10-10 - Vulnerability reported to vendor
2009-12-17 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Pedram Amini, TippingPoint DVLabs
* Anonymous
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close