HP OpenView MMD Service Stack BO

December 10, 2010

HP OpenView Storage Data Protector is a backup solution for enterprise and distributed environments. It consists of a Cell Manager, backup agents, and backup device servers. The Cell Manager is the central point from which backup agents and device servers are administered, and backup and restore operations are controlled.

The Media Management Daemon service runs on the Cell Manager and controls media management and device operations. It provides features such as protection against accidental overwrites, capability of transferring all media-related catalog from one Cell Manager to another, tracking of all media including the status of each medium, etc. The server listens for incoming connections on a dynamically assigned TCP port. The protocol utilized for communication between Media Management Daemon service and clients is proprietary and not documented.

A request sent to the Media Management Daemon service has the following format:

 Offset             Size      Field     -----------------  --------- ------------------------------ 0x0000             4         Command Length 0x0004             2         Unknown  0x0006             N1        Command code unicode string 0x0006+N1          2         0x2000 0x0008+N1          N2        Unicode string 0x0008+N1+N2       2         0x2000 0x000A+N1+N2       N3        Unicode string 0x000A+N1+N2+N3    2         0x2000 0x000E+N1+N2+N3    N4        Unicode string 0x0010+N1+N2+N3+.. 

Command Length is a 4 byte value in big endian byte order. It specifies the number of bytes inside the packet, excluding the length field itself. The arguments are in the form of wide char strings terminated with double Null bytes, and separated by one Unicode space character. The backup agent executes different programs based on the received Command code.

A code execution vulnerability exists in HP Data Protector Manager Server. The flaw is due to a stack buffer overflow during parsing of malformed requests. If a request with a certain command code is sent, the vulnerable code allocates a fixed-size buffer of 624 bytes. The 7th user-supplied argument is then copied into the destination buffer without any verification of its length. By supplying an overly long string in a crafted request, the destination stack buffer can be overflowed. The overflow could result in the overwriting of critical stack data such as stored function return addresses and SEH pointers, allowing for code injection and execution.

A remote unauthenticated attacker can exploit this vulnerability by sending a malicious request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the service, which is configured during the software installation (usually Administrator).

SonicWALL has in place numerous generic IPS signatures that detect and block shell code transferred in exploitation attempts of vulnerabilities of this type. A known exploit targeting this vulnerability is currently being proactively caught by the following IPS signature:

  • 5512 - Generic Server Application Shellcode Exploit 28