RESEARCH

Security Advisories

HP DataProtector Memory Leak / Denial of Service

Technical Details

HP Data Protector uses proprietary protocol for communicating with remote clients. When a specially crafted packet is sent to the Data Protector Backup Domain Server, it results in an access violation and causes denial of service. The bug exists in dpwinsup.dll module and the same issue can be used for arbitrary memory leak.

   ; Buggy code @dpwinsup module of dpwingad process 
   ; running at 3817/TCP port
   ; dpwinsup.10275F80
   100DDE89   8B15 54A72210    MOV EDX,DWORD PTR DS:[1022A754]  
   100DDE8F   8B82 98650000    MOV EAX,DWORD PTR DS:[EDX+6598]
   ; ECX = user controlled data
   100DDE95   8B4C24 54        MOV ECX,DWORD PTR SS:[ESP+54]
   ; EDX = if invalid/valid offset         
   100DDE99   8D1481           LEA EDX,DWORD PTR DS:[ECX+EAX*4]
   ; Crash/Memory Leak      
   100DDE9C   8B3495 F0A42210  MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] 
   100DDEA3   83C4 1C          ADD ESP,1C
   100DDEA6   897424 10        MOV DWORD PTR SS:[ESP+10],ESI

Affected Software

HP Data Protector Express Version 4.00-sp1 Build 43064
Other versions may also be affected

Impact

Denial of Service

Arbitrary Memory Leak

Vendor Response

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01697543

Credits

This vulnerability was discovered by Nibin Varghese from iViZ Security Research Team.

Back to Security Advisories

APPLICATION TESTING| NETWORK TESTING| COMPLIANCE REPORTING