Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22981
HistoryDec 21, 2009 - 12:00 a.m.

TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability

2009-12-2100:00:00
vulners.com
19
JSON

TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-09-15
December 17, 2009

– CVE ID:
CVE-2007-2281

– Affected Vendors:
Hewlett-Packard

– Affected Products:
Hewlett-Packard OpenView

– TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 4730.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

– Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard OpenView Data Protector.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Database Service,
rds.exe, which binds to TCP port 1530. The service receives socket data
via _ncp32._NtrpTCPReceiveMsg() in the following format:

[0xB6298C23][4-byte size][....][data]

The specified size parameter is subsequently used as the size parameter
to the memory allocation routines _rm32.rm_getMem(). Due to a lack of
sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an
integer overflow and therefore an under allocated heap buffer. The
following excerpt demonstrates this problem:

10004A57 mov eax, [ebp+arg_0]   ; specified size
10004A5A add eax, 8             ; integer overflow
10004A5D push eax
10004A5E call ds:__imp__malloc

The original packet data is later written to the under allocated buffer
using a size specifier equal to the number of bytes actually received as
the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows:

002F2E77 mov eax, [ebp+received_length]
002F2E7A push eax                        ; size_t
002F2E7B mov ecx, [ebp+received_data]
002F2E7E push ecx                        ; src
002F2E7F mov edx, [ebp+allocated_buffer]
002F2E82 mov eax, [edx]
002F2E84 push eax                        ; dst
002F2E85 call _memcpy

This issue can be exploited to overwrite a specified DWORD of memory and
further lead to arbitrary code execution.

– Vendor Response:

– Disclosure Timeline:
2006-10-10 - Vulnerability reported to vendor
2009-12-17 - Coordinated public release of advisory

– Credit:
This vulnerability was discovered by:
* Pedram Amini, TippingPoint DVLabs
* Anonymous

Related

seebug 1
cve 1
checkpoint_advisories 2
prion 1
securityvulns 2
nessus 8
seebug
seebug
HP OpenView Storage Data Protector rds.exeζœεŠ‘ε †ζΊ’ε‡ΊζΌζ΄ž
2009-12-20 00:00:00
cve
cve
CVE-2007-2281
2009-12-18 19:30:00
checkpoint_advisories
checkpoint_advisories
HP OpenView Storage Data Protector Cell Manager Heap Buffer Overflow (CVE-2007-2281)
2010-05-10 00:00:00
Update Protection against HP OpenView Storage Data Protector Cell Manager Heap Buffer Overflow
2010-06-24 00:00:00
prion
prion
Integer overflow
2009-12-18 19:30:00
securityvulns
securityvulns
HP OpenView Storage Data Protector code execution
2009-12-21 00:00:00
[security bulletin] HPSBMA02252 SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution
2009-12-17 00:00:00
nessus
nessus
HP-UX PHSS_36588 : s700_800 11.X OV DP6.00 PA-RISC patch - CS packet
2009-12-14 00:00:00
HP-UX PHSS_36800 : s700_800 11.23 OV DP5.50 IA-64 patch - CS packet
2009-12-14 00:00:00
HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet
2009-12-14 00:00:00
JSON
Related for SECURITYVULNS:DOC:22981
seebug1cve1checkpoint_advisories2prion1securityvulns2nessus8