Advisory Details

February 7th, 2011

(0day) EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability

ZDI-11-061
ZDI-CAN-614

CVE ID CVE-2011-0647
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS EMC
AFFECTED PRODUCTS Replication Manager
TIPPINGPOINT™ IPS CUSTOMER PROTECTION TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 8028. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Replication Manager Client. Authentication is not required to exploit this vulnerability.

The Replication Manager client installs a service binds the irccd.exe process to TCP port 6542. This service accepts commands using an XML-based protocol. It exposes a vulnerability through it's RunProgram functionality. By abusing this function an attacker can execute arbitrary code under the context of currently logged in user.

VENDOR RESPONSE EMC states:

April 4, 2011:
EMC released the update for Networker Module for Microsoft Applications.
Advisory can be found at:
http://www.securityfocus.com/archive/1/517250

February 7, 2011:
EMC has stated that this vulnerability has been fixed in EMC Replication Manager version 5.3 available through EMC Powerlink. However, the bug is still present in the EMC Networker Module for Microsoft Applications. It will be fixed in these products at a later date. EMC has released Security Advisory ESA-2011-004 to address this issue (covering CVE-2011-0647).


DISCLOSURE TIMELINE
  • 2009-10-27 - Vulnerability reported to vendor
  • 2011-02-07 - Coordinated public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES