Vulnerabilities > CVE-2007-2281 - Numeric Errors vulnerability in HP Openview Storage Data Protector 5.50/6.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the _ncp32._NtrpTCPReceiveMsg function in rds.exe in the Cell Manager Database Service in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via a large value in the size parameter.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36799.NASL description s700_800 11.X OV DP5.50 PA RISC patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) last seen 2020-06-01 modified 2020-06-02 plugin id 43138 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43138 title HP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_36799. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(43138); script_version("1.16"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844"); script_xref(name:"TRA", value:"TRA-2009-04"); script_xref(name:"HP", value:"emr_na-c01124817"); script_xref(name:"HP", value:"emr_na-c01943909"); script_xref(name:"HP", value:"SSRT061258"); script_xref(name:"HP", value:"SSRT061259"); script_xref(name:"HP", value:"SSRT090113"); script_name(english:"HP-UX PHSS_36799 : s700_800 11.X OV DP5.50 PA RISC patch - CS packet"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.X OV DP5.50 PA RISC patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113)" ); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04"); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5bd45cd2" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0a593fc9" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_36799 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.00 11.11 11.23", proc:"parisc")) { exit(0, "The host is not affected since PHSS_36799 applies to a different OS release / architecture."); } patches = make_list("PHSS_36799", "PHSS_37827", "PHSS_38726"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CS", version:"A.05.50")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36589.NASL description s700_800 11.X OV DP6.00 IA-64 patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) last seen 2020-06-01 modified 2020-06-02 plugin id 43135 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43135 title HP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_36589. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(43135); script_version("1.20"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844"); script_xref(name:"TRA", value:"TRA-2009-04"); script_xref(name:"HP", value:"emr_na-c01124817"); script_xref(name:"HP", value:"emr_na-c01943909"); script_xref(name:"HP", value:"SSRT061258"); script_xref(name:"HP", value:"SSRT061259"); script_xref(name:"HP", value:"SSRT090113"); script_name(english:"HP-UX PHSS_36589 : s700_800 11.X OV DP6.00 IA-64 patch - CS packet"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.X OV DP6.00 IA-64 patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)" ); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04"); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5bd45cd2" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0a593fc9" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_36589 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23 11.31", proc:"ia64")) { exit(0, "The host is not affected since PHSS_36589 applies to a different OS release / architecture."); } patches = make_list("PHSS_36589", "PHSS_37302", "PHSS_37821", "PHSS_38405", "PHSS_39106", "PHSS_39794", "PHSS_40171", "PHSS_40567", "PHSS_41264", "PHSS_41869"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CS", version:"A.06.00")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37383.NASL description s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) last seen 2020-06-01 modified 2020-06-02 plugin id 43141 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43141 title HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_37383. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(43141); script_version("1.18"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2007-2280", "CVE-2007-2281", "CVE-2009-3844"); script_xref(name:"TRA", value:"TRA-2009-04"); script_xref(name:"HP", value:"emr_na-c01124817"); script_xref(name:"HP", value:"emr_na-c01943909"); script_xref(name:"HP", value:"SSRT061258"); script_xref(name:"HP", value:"SSRT061259"); script_xref(name:"HP", value:"SSRT090113"); script_name(english:"HP-UX PHSS_37383 : s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.23 OV DP5.50 IA-64 patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259)" ); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-04"); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5bd45cd2" ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01943909 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0a593fc9" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_37383 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.23", proc:"ia64")) { exit(0, "The host is not affected since PHSS_37383 applies to a different OS release / architecture."); } patches = make_list("PHSS_37383", "PHSS_38723"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-CORE-IS", version:"A.05.50")) flag++; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-FRA-LS-P", version:"A.05.50")) flag++; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-INTEG-P", version:"A.05.50")) flag++; if (hpux_check_patch(app:"DATA-PROTECTOR.OMNI-JPN-LS-P", version:"A.05.50")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36622.NASL description s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) last seen 2020-06-01 modified 2020-06-02 plugin id 43136 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43136 title HP-UX PHSS_36622 : s700_800 11.X OV DP6.00 PA-RISC patch - CORE packet NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36588.NASL description s700_800 11.X OV DP6.00 PA-RISC patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) last seen 2020-06-01 modified 2020-06-02 plugin id 43134 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43134 title HP-UX PHSS_36588 : s700_800 11.X OV DP6.00 PA-RISC patch - CS packet NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37382.NASL description s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) last seen 2020-06-01 modified 2020-06-02 plugin id 43140 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43140 title HP-UX PHSS_37382 : s700_800 11.X OV DP5.50 PA-RISC patch - CORE packet NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36800.NASL description s700_800 11.23 OV DP5.50 IA-64 patch - CS packet : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) last seen 2020-06-01 modified 2020-06-02 plugin id 43139 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43139 title HP-UX PHSS_36800 : s700_800 11.23 OV DP5.50 IA-64 patch - CS packet NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36623.NASL description s700_800 11.X OV DP6.00 IA-64 patch - CORE packet : The remote HP-UX host is affected by multiple vulnerabilities : - A potential security vulnerability has been identified with OpenView Data Protector Application Recovery Manager version 5.5 and 6.0. The vulnerability could be exploited remotely to create a denial of service (DoS). (HPSBMA02481 SSRT090113) - Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code. (HPSBMA02252 SSRT061258, SSRT061259) last seen 2020-06-01 modified 2020-06-02 plugin id 43137 published 2009-12-14 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43137 title HP-UX PHSS_36623 : s700_800 11.X OV DP6.00 IA-64 patch - CORE packet
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 37386 CVE(CAN) ID: CVE-2007-2281 HP OpenView Storage Data Protector是可扩展的数据管理解决方案,实现基于磁盘或磁带的高性能备份和恢复功能。 OpenView Storage Data Protector默认绑定在TCP 1530端口上的Cell Manager Database服务(rds.exe)中存在堆溢出漏洞。该服务通过_ncp32._NtrpTCPReceiveMsg()接收以下格式的套接字数据: [0xB6298C23][4-byte size][....][data] 之后将指定的size参数用作了内存分配例程_rm32.rm_getMem()的大小参数。由于缺少过滤检查,0xFFFFFFF8到0xFFFFFFFF之间的值就会导致整数溢出,分配不充分的堆缓冲区: 10004A57 mov eax, [ebp+arg_0] ; specified size 10004A5A add eax, 8 ; integer overflow 10004A5D push eax 10004A5E call ds:__imp__malloc 之后将原始报文数据写入到了不充分的缓冲区中,如_ncp32._NtrpTCPReceiveMsg()中所示: 002F2E77 mov eax, [ebp+received_length] 002F2E7A push eax ; size_t 002F2E7B mov ecx, [ebp+received_data] 002F2E7E push ecx ; src 002F2E7F mov edx, [ebp+allocated_buffer] 002F2E82 mov eax, [edx] 002F2E84 push eax ; dst 002F2E85 call _memcpy 攻击者可以利用这个漏洞覆盖内存指定的DWORD,导致执行任意代码。 HP OpenView Storage Data Protector 6.0 HP OpenView Storage Data Protector 5.5 厂商补丁: HP -- HP已经为此发布了一个安全公告(HPSBMA02252)以及相应补丁: HPSBMA02252:SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution 链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817&printver=true |
id | SSV:15115 |
last seen | 2017-11-19 |
modified | 2009-12-20 |
published | 2009-12-20 |
reporter | Root |
title | HP OpenView Storage Data Protector rds.exe服务堆溢出漏洞 |