Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Multiple vulnerabilities in Double-Take 5.0.0.2865

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Multiple vulnerabilities in Double-Take 5.0.0.2865
Date: Fri, 22 Feb 2008 22:36:29 +0100 

#######################################################################

                             Luigi Auriemma

Application:  Double-Take
              http://www.doubletake.com
Versions:     <= 5.0.0.2865
              (version 4.5.x tested with success too)
Platforms:    Windows
Bugs:         A] server termination through "vector<T> too long" exception
              B] NULL pointer crash
              C] termination through memory allocation
              D] informations disclosure
              E] other exceptions
Exploitation: remote
Date:         22 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Double-Take is a disaster recovery and backup software distribuited
also under other different names depending by the company which
distribuites it like for example HP StorageWorks Storage Mirroring
(where version 4.5.0.1629 is vulnerable to a pre-auth buffer overflow).


#######################################################################

=======
2) Bugs
=======

------------------------------------------------------------
A] server termination through "vector<T> too long" exception
------------------------------------------------------------

The Double-Take service can be terminated through an exception raised
when the size of a "vector<T>" value is bigger than how much supported.
Exist different ways for exploiting this vulnerability anyway the
main two arbitrary effects are the "vector<T> too long" exception or
CPU at 100%.


---------------------
B] NULL pointer crash
---------------------

The server can be crashed through malformed packets (like 0x2722
and 0x272a) which cause the access to a NULL pointer.


----------------------------------------
C] termination through memory allocation
----------------------------------------

An error with some packets allows to allocate a partially arbitrary
amount of memory with the possibility to crash the process when no
additional memory is available.


--------------------------
D] informations disclosure
--------------------------

The server sends various types of informations to any unauthenticated
user, for example the running operating system and the program's paths
with packet 0x2728, the ethernet adapters with packet 0x274e, all the
partitions and their types of filesystem with packet 0x2726, the
printer driver with 0x274f and the latest log entries using packet
0x2757.


-------------------
E] other exceptions
-------------------

Exist also additional problems mainly exploitable through packet 0x2719
which cause respectively a "ospace/time/src\date.cpp" exception and the
recursive calling of a function which fills the available stack and
causes the silent termination of the service.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/doubletakedown.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Multiple vulnerabilities in Double-Take 5.0.0.2865, Luigi Auriemma <=
Previous by Date:  [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues, dann frazier
Next by Date:  [SECURITY] [DSA 1504-1] New Linux kernel 2.6.8 packages fix several issues, dann frazier
Previous by Thread:  [SECURITY] [DSA 1503-1] New Linux kernel 2.4.27 packages fix several issues, dann frazier
Next by Thread:  [SECURITY] [DSA 1504-1] New Linux kernel 2.6.8 packages fix several issues, dann frazier
Indexes:  [Date] [Thread] [Top] [All Lists]