Rocket U2 Uni RPC Service Remote Code Execution Vulnerability
ZDI-10-294: December 23rd, 2010CVSS Score
Affected Vendors
Affected Products
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 6257. For further product information on the TippingPoint IPS:Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of multiple products from multiple vendors that utilize the Uni RPC protocol. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the Uni RPC service (unirpcd.exe) which listens by default on TCP port 31438. The unirpc32.dll module implements an RPC protocol and is used by the Uni RPC service. While parsing a size value from an RPC packet header, an integer can overflow and consequently bypass a signed comparison. This controlled value is then used as the number of bytes to receive into a static heap buffer. By providing a specially crafted request, this heap buffer can overflow leading to arbitrary code execution under the context of the SYSTEM user.
Vendor Response
Rocket states:Rocket U2 states that this issue was first fixed in: UniVerse 10.3.9 and UniData 7.2.8. Recommended fix pack version: UniVerse 10.3.9 and above or UniData 7.2.8 and above.
Please contact your software partner or U2BC@rs.com to obtain a fixed version for UCC-676.
Disclosure Timeline
-
2010-07-20 - Vulnerability reported to vendor
2010-12-23 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:-
Ruben Santamarta
