Arbor Networks: Security to the Core

The Tipping Point ZDI initiative recently published a security advisory about pre-authentication overflows in HP StorageWorks (CVE-2008-1661). Shortly after the vulnerability was announced, exploit code became public via the Metasploit project. Within a few days, we started seeing an increase in scanning for the two TCP ports the vulnerable daemon listens on: TCP ports 1100 and 1106.

At this point, the sources are relatively constrained to a small number of IPs spread throughout the world. It may be that a few hackers are competing for the same vulnerable hosts. Scanning for these services was picked up by ATLAS and the one week graphs are shown below. You can see the scanning start in this time frame.

TCP port 1106 scans for the past week

TCP port 1100 scans for the past week

From some internal analysis we did on the vulnerability: The Doubletake.exe process, running on TCP port 1100 and 1106 and UDP port 1105, is prone to pre-authentication stack-based buffer overflow vulnerability. This occurs during an encoded authentication request because user-supplied authentication information is copied to the destination buffer directly without proper checks. An attacker can exploit this by sending login information that is at least 256 bytes to trigger the buffer overflow. Successful exploitation can result in arbitrary code execution.

If you run HP StorageWorks, you should patch ASAP.

This entry was posted on Friday, June 6th, 2008 at 3:29 pm and is filed under ATLAS, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.