Advisories
News
Partners
BakBone Netvault backup 8.22 Build 29 remote DoS
Overview:
The process npvmgr.exe is vulnerable to a remote DoS, due to incorrecthandling of fields passed through network packets to malloc().
Technical Details:
004614F4 |. 52 PUSH EDX ; /Arg2
004614F5 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
004614F8 |. 50 PUSH EAX ; |Arg1
004614F9 |. E8 8241FEFF CALL libnv6.MemAllocateFromPool ;
\MemAllocateFromPool
EAX is a value we control.
Tracing inside MemAllocateFromPool reaches:
0044568B |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0044568E |. 50 PUSH EAX ; /Arg2
0044568F |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
00445692 |. 51 PUSH ECX ; |Arg1
00445693 |. E8 78000000 CALL libnv6.00445710 ;
\libnv6.00445710
Again ECX is controlled.
Tracing inside libnv6.00445710 reaches:
0044575E |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00445761 |. 50 PUSH EAX
00445762 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00445765 |. 51 PUSH ECX
00445766 |. 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00445769 |. 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
0044576C |. FF50 04 CALL DWORD PTR DS:[EAX+4] // A functionthat does malloc()
004454B0 /$ 55 PUSH EBP
004454B1 |. 8BEC MOV EBP,ESP
004454B3 |. 83EC 18 SUB ESP,18
004454B6 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
004454B9 |. 50 PUSH EAX ; /size
004454BA |. FF15 D4124C00 CALL DWORD PTR DS:[<&MSVCR71.malloc>] ;
\malloc
004454C0 |. 83C4 04 ADD ESP,4
The size is controlled.
By supplying a size larger than 0x30000000 malloc will fail,return NULL
and the execution will reach ProcCrash() which crashes NetVault.
004457BE |> 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 //True since mallocfailed.
004457C2 |. 74 40 JE SHORT libnv6.00445804 //Jump is taken
The jump eventually reaches:
0044581C |. 83C4 18 ADD ESP,18
0044581F |. 6A 01 PUSH 1
00445821 |. E8 5AC40300 CALL libnv6.ProcCrash
A CANVAS module has been coded as a PoC for this issue and can be found at:
PoC: http://www.insight-tech.org/xploits/netvault_DoS.tar.gz
Previous page: Advisories
Next page: Partners