#######################################################################
Luigi Auriemma
Application: EMC NetWorker (Legato)
http://www.emc.com/backup-and-recovery/networker/networker.htm
Versions: <= 7.6 sp3 (7.6.3.2 Build 860)
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bug: invalid read access
Exploitation: remote
Date: 14 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC NetWorker backup and recovery software centralizes, automates, and
accelerates data backup and recovery across your IT environment.
NetWorker delivers record-breaking performance and a wide range of data
protection options to safeguard your critical business data."
#######################################################################
======
2) Bug
======
nsrexecd is a service listening on some default ports (like 111, 7937
and 7938) plus another couple of random ones usually over port 8000.
Through a malformed RPC packet sent to one these random ports it's
possible to crash the service due to the hash calculation performed
over an arbitrary amount of data.
From librpc.dll:
0038B3CF 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] ; my_size
0038B3D3 8B6D 00 MOV EBP,DWORD PTR SS:[EBP]
0038B3D6 2BF0 SUB ESI,EAX
0038B3D8 897424 38 MOV DWORD PTR SS:[ESP+38],ESI
0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX] ; size
0038B3DE 8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90]
0038B3E5 2BF0 SUB ESI,EAX ; size - my_size
0038B3E7 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
0038B3EA 50 PUSH EAX
0038B3EB 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0038B3EF 51 PUSH ECX
0038B3F0 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+48]
0038B3F4 52 PUSH EDX
0038B3F5 2BF7 SUB ESI,EDI
0038B3F7 53 PUSH EBX
0038B3F8 897424 54 MOV DWORD PTR SS:[ESP+54],ESI ; the new size
0038B3FC 896C24 50 MOV DWORD PTR SS:[ESP+50],EBP
...
0038AFC5 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0038AFC9 51 PUSH ECX
0038AFCA 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0038AFCE 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0038AFD2 52 PUSH EDX
0038AFD3 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] ; new size
0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX]
0038AFD8 52 PUSH EDX
0038AFD9 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
0038AFDD 51 PUSH ECX
0038AFDE 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20]
0038AFE1 52 PUSH EDX
0038AFE2 8B50 1C MOV EDX,DWORD PTR DS:[EAX+1C]
0038AFE5 51 PUSH ECX
0038AFE6 52 PUSH EDX
0038AFE7 E8 04E3FFFF CALL LIBRPC.cryptoiface_get_hmac ; hash crash
Note: after the crash it's necessary to restart also the other services
so that the situation can return normal and the bug can be tested
again.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nsrexecd_1.dat
http://www.exploit-db.com/sploits/18601.dat
nc SERVER PORT < nsrexecd_1.dat
it's enough to scan all the ports from 8000 to 10000 to catch the
correct one automatically.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################