####################################################################### Luigi Auriemma Application: Veritas Storage Foundation Administrator Service http://www.symantec.com/business/storage-foundation Versions: <= 5.1 Platforms: Solaris, AIX, HP-UX, Linux, Windows Bug: integer overflow in vxsvc Exploitation: remote, versus server Date: probably found 12 Nov 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== VERITAS Enterprise Administrator (vxsvc) is a service running on ports 2148 (udp/tcp) and 3207 (udp). The problem affecting the part of the server running on tcp port 2148 is an integer overflow in the function vxveautil.value_binary_unpack during the handling of the unicode strings (opcode 7) where the 32 bit field supplied by the attacker is used for the following operation: dst = (wchar_t *)malloc((size * 2) + 2); for(i = 0; (unsigned)i < size; i++) { dst[i] = ((wchar_t *)src)[i]; } dst[i] = 0; So through the usage of a value like 0x7fffffff or 0x80000000 is possible to force the allocation of an output buffer smaller than the input one. While at a first look it seems an unicode overflow in reality it's a classical overflow because the server allocates the double of memory but handles the input as an unicode buffer so copying a 16bit big endian value each time. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/veritas_2.zip nc SERVER 2148 < veritas_2.dat ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-263/ #######################################################################