HP Data Protector Express Stack BO

October 1, 2010

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments. The Data Protector environment consists of various components and services controlled by a management console. The management console provides quick access to track all Data Protector Express objects, including jobs, media, and scheduling rotation schemes. The login screen allows to enter the host name or the IP address of the target server to which the user wants to log in. The default host is the local machine, however, remote hosts can be accessed via hostname or IP. The console accepts the username and password credential combination to authenticate users. The default username is 'Admin' with a blank password.

The login credentials are exchanged over TCP port 3817. The protocol specification is unknown to the public as it is proprietary. The session starts with a handshake packet that includes the computer name of the client system and the database name, among other information. The handshake packet is followed by a packet containing login credentials.

The credentials packet has the following format:

 Offset     Length  Description ---------- ------- ----------------------------------- 0x0000     2       Command (x51x84) 0x0002     10 0x000C     4       Size 0x0010     4 0x0014     x       username 0x0014+x   y       password 

A buffer overflow vulnerability exists in HP OpenView Storage Data Protector software. The vulnerability is due to a boundary error in the method used to parse the username value. The vulnerable code allocates a limited size stack buffer for the username and calls a strcpy function to copy the null terminated string into the buffer. The code does not verify the length of the source string before copying it into the said buffer. As a result of this, if an overly large username is provided in the packet, the stack buffer can be overflowed, overwriting critical stack data such as the function return addresses and the SEH pointer.

Remote unauthenticated attackers could exploit this vulnerability by sending a crafted login request to the target server. Successful exploitation of this vulnerability may allow for arbitrary code injection and execution with the privileges of the affected service. If the attack is not successful, the service will terminate abnormally causing a Denial of Service condition.

SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:

  • 5803 - HP Data Protector Express DtbClsLogin BO Attempt

This vulnerability has been assigned CVE-2010-3007 by mitre. The vendor has released an advisory regarding this issue.