Date Discovered: 20 December 2005 by Karma 40h Designfolks 2Eh com 2Eh au
Platforms affected
This has been tested on DMPrimer v1.4.155 on Windows XP sp1 and sp2
DM Primer is a shared service related to CA's Unicenter Remote Control. It is used in Enterprise environments to deploy URC6 from the URC v6.x Administration server. Dmprimer.exe listens on a client device for instructions from the server in a networked environment. DM Primer service may be installed as part of other CA products.A weakness has been identified in the way the socket errors are handled. A larger than expected packet can be parsed remotely triggering an error handling routine. The routine fails to properly handle the 'WSAEMESGSIZE' error and exits the thread leaving the DM Primer service in a non-responding state. Neither Service Control Manager nor Windows TaskManager registers the event, as the process is still in memory.
dmprimer.exe listens on a UDP socket for instructions from the Unicenter Remote Control Server. During the socket operations, a buffer size of 1000h is parsed into the recvfrom function to handle incoming connections. When a UDP packet of larger than 1000h is intercepted, recvfrom triggers an error and returns a -1 value, although the buffer still contains the the first 1000h bytes of metadata.lea ecx, [esp+18h+fromlen] lea edx, [esp+18h+netshort] push ecx mov eax, [edi] mov ecx, [esp+1Ch+buf] push edx push 0 push eax length of buffer which is set to 1000h push ecx buf push esi mov [esp+30h+fromlen], 10h call recvfrom mov esi, eax if 4097 bytes of data, eax gets FFFFFFFh cmp esi, 0FFFFFFFFhSeveral error codes are checked but the error handling routine fails to check for error code 2738h which is WSAEMESGSIZE or Message Too Long, causing the thread to be improperly handled and exits.call WSAGetLastError cmp eax, 2749h check error code jg short loc_40A222 check if Hosts Unreachable Error received jz short loc_40A214 jmp if err code = 10057 "Socket is not connected" test eax, eax if NULL, no data received jz short loc_40A209 cmp eax, 2736h jz short loc_40A214 if error is 10038 "Operation on a non socket"Unfortunately, the process remains in memory allowing for a false impression that the process is still running.In an enterprise wide environment, an attacker may be able to leverage this weakness to cause the DM Primer service to exit on victim machines, rendering the Remote Control server unable to control its clients. Furthermore, the source packets can be spoofed causing mass Denial of Service in a widely deployed environment that is difficult to trace.
"Could not stop the DM Primer service on Local Computer.Error 10040: A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself."
Vendor notification - Vendor notified on 21st Dec 2005
Publicly released on - 17 January 2006. An updated version is available through http://supportconnectw.ca.com/
This advisory may change without prior noticeThere are no warranties, implied or express, with regard to the information in this advisory. In no event shall the author or associated parties be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
[Back Home] [POC for Flash vulnerability - yellow screen if not vulnerable]