TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-09-15
December 17, 2009

-- CVE ID:
CVE-2007-2281

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard OpenView

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 4730. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett-Packard OpenView Data Protector.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Cell Manager Database Service,
rds.exe, which binds to TCP port 1530. The service receives socket data
via _ncp32._NtrpTCPReceiveMsg() in the following format:

    [0xB6298C23][4-byte size][....][data]

The specified size parameter is subsequently used as the size parameter
to the memory allocation routines _rm32.rm_getMem(). Due to a lack of
sanity checking, values between 0xFFFFFFF8 and 0xFFFFFFFF result in an
integer overflow and therefore an under allocated heap buffer. The
following excerpt demonstrates this problem:

    10004A57 mov eax, [ebp+arg_0]   ; specified size
    10004A5A add eax, 8             ; integer overflow
    10004A5D push eax
    10004A5E call ds:__imp__malloc

The original packet data is later written to the under allocated buffer
using a size specifier equal to the number of bytes actually received as
the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows:

    002F2E77 mov eax, [ebp+received_length]
    002F2E7A push eax                        ; size_t
    002F2E7B mov ecx, [ebp+received_data]
    002F2E7E push ecx                        ; src
    002F2E7F mov edx, [ebp+allocated_buffer]
    002F2E82 mov eax, [edx]
    002F2E84 push eax                        ; dst
    002F2E85 call _memcpy

This issue can be exploited to overwrite a specified DWORD of memory and
further lead to arbitrary code execution.

-- Vendor Response:


-- Disclosure Timeline:
2006-10-10 - Vulnerability reported to vendor
2009-12-17 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Pedram Amini, TippingPoint DVLabs
    * Anonymous