EMC AutoStart Buffer Overflow

August 29, 2012

EMC AutoStart provides high availability within multiple operating systems including UNIX, LINUX, and Microsoft Windows for Oracle, Microsoft Exchange, and SQL Server clustered environments. AutoStart monitors application, networks, servers, and storage and automates application restart on an alternate server-local or remote-in the event of a planned or unplanned service outage. On request, AutoStart automates failback of services, applications, and data quickly and efficiently to ensure business continuity.

The EMC AutoStart architecture is built around the concept of nodes, which are grouped in domains. One or more nodes can be grouped to form the AutoStart domain. All operations performed by AutoStart take place within the domain. The node is the basic building block within AutoStart. A node is any machine with an AutoStart agent installed and running. The agent provides the monitoring and management capabilities within the node.

The agent service listens on TCP port 8045 for communication with agents on other nodes. The communication protocol used by the AutoStart agent service is proprietary and not publicly documented. By observing the traffic transferred between AutoStart agents, the following patterns have been identified.

 Offset Size Description ------------------------------------- 0x00   4    unknown 0x04   2    major version number 0x06   2    minor version number 0x08   4    unknown DWORD 0x0c   4    code1 0x10   4    code2 0x14   4    length (x) size of data 0x18   x    data section 

Multiple buffer overflow vulnerabilities have been found in EMC AutoStart product. A remote attacker can manipulate the traffic between the agents, such as the header listed above to potentially cause a denial of service, or possibly, execute arbitrary code within the context of the affected application.

Dell SonicWALL UTM team has researched these vulnerabilities and released the following IPS signatures to protect their customers.

  • 7703 EMC AutoStart Buffer Overflow 1
  • 8553 EMC AutoStart Buffer Overflow 2
  • 5512 Server Application Shellcode Exploit 28

The vulnerabilities have been identified as CVE-2012-0409 by CVE.