Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] TIBCO Rendezvous RVD Daemon Memory Leak DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] TIBCO Rendezvous RVD Daemon Memory Leak DoS
Date: 29 Nov 2007 15:15:56 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  TIBCO Rendezvous RVD Daemon Memory Leak DoS
------------------------------------------------------------------------


SUMMARY

The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which when 
remotely triggered, prevents any further RV communication until the daemon 
is manually restarted.

DETAILS

Vulnerable Systems:
 * Rendezvous versions 7.5.2, 7.5.3 and 7.5.4

Immune Systems:
 * Rendezvous version 8.0

The RV daemon (RVD) within TIBCO's Rendezvous messaging product is 
responsible for the communication of messages between RV-enabled 
applications. The vulnerability exists as the result of an error in the 
code that parses information within one of the headers in a TIBCO 
proprietary network protocol packet.

Technical Details:
Within a Rendezvous "wire format" TCP packet, the first four bytes 
represent the number of bytes of data to expect within the packet, for 
example:

"\x00\x00\x00\x7c" //total length of data in packet
"\x99\x55\xee\xaa" // "magic" number
"\x06" // number of following bytes including null
"\x6d\x74\x79\x70\x65\x00" //the text "mtype"
..etc

In the above example the number of data bytes in the packet is "0x7c", or 
124 bytes. If this value is set to zero in a packet sent to the RVD daemon 
then it stops responding to all subsequent communication. This appears to 
result from a memory leak, which continues to attempt to allocate memory. 
Eventually, operating system alert messages start to appear, warning that 
the virtual memory in the underlying operating system is running low.

Vendor & Patch Information:
TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented as 
being fixed in the release notes as follows:

1-84MR37 - Fixed a daemon memory growth defect associated with messages of 
length zero


ADDITIONAL INFORMATION

The information has been provided by  <mailto:research@irmplc.com> IRM 
Research.
The original article can be found at:  
<http://www.irmplc.com/index.php/160-Advisory-025> 
http://www.irmplc.com/index.php/160-Advisory-025



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] TIBCO Rendezvous RVD Daemon Memory Leak DoS, SecuriTeam <=
Previous by Date:  [NT] Symantec BEWS Multiple DoS in Job Engine, SecuriTeam
Previous by Thread:  [NT] Symantec BEWS Multiple DoS in Job Engine, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]