HP StorageWorks Scanning

The Tipping Point ZDI initiative recently published a security advisory about pre-authentication overflows in HP StorageWorks (CVE-2008-1661). Shortly after the vulnerability was announced, exploit code became public via the Metasploit project. Within a few days, we started seeing an increase in scanning for the two TCP ports the vulnerable daemon listens on: TCP ports 1100 and 1106.

At this point, the sources are relatively constrained to a small number of IPs spread throughout the world. It may be that a few hackers are competing for the same vulnerable hosts. Scanning for these services was picked up by ATLAS and the one week graphs are shown below. You can see the scanning start in this time frame.

TCP 1106 week.png

TCP port 1106 scans for the past week

TCP 1100 week.png

TCP port 1100 scans for the past week

From some internal analysis we did on the vulnerability: The Doubletake.exe process, running on TCP port 1100 and 1106 and UDP port 1105, is prone to pre-authentication stack-based buffer overflow vulnerability. This occurs during an encoded authentication request because user-supplied authentication information is copied to the destination buffer directly without proper checks. An attacker can exploit this by sending login information that is at least 256 bytes to trigger the buffer overflow. Successful exploitation can result in arbitrary code execution.

If you run HP StorageWorks, you should patch ASAP.

2 Responses to “HP StorageWorks Scanning”

June 07, 2008 at 6:33 am, Webline GmbH » Was passiert derzeit auf Port 1100 und 1106? said:

[…] Experten von Arbor fragen sich derzeit, was der Grund für den Traffic-Anstieg auf Port 1100 sein könnte. Es wurde eine Schwachstelle in […]

June 09, 2008 at 8:33 am, SANS Port Watch « Computer Security said:

[…] 5905 los ist. Immer wieder ist auch der Port 22105 betroffen. Bei Port 1100 gehen die Experten von Arbor gehen davon aus, daß es sich um eine Schwachstelle in HP Storage Works handelt. Wer weiter Infos […]

Comments are closed.