HP Data Protector dpwinsup.dll内存泄漏漏洞

BUGTRAQ ID: 34955
CVE(CAN) ID: CVE-2009-0714

HP Data Protector软件能够实现自动化的高性能备份与恢复，支持通过磁盘和磁带进行备份和恢复。

HP Data Protector使用私有协议与远程客户端通讯。如果远程客户端向Data Protector备份域服务器的dpwinsup.dll模块发送了特制报文，就可能泄露任意内存，导致运行在3817/TCP端口上的dpwingad进程崩溃。

; Buggy code @dpwinsup module of dpwingad process
; running at 3817/TCP port
; dpwinsup.10275F80
100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754]
100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598]
; ECX = user controlled data
100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54]
; EDX = if invalid/valid offset
100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX4]
; Crash/Memory Leak
100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX4+1022A4F0]
100DDEA3 83C4 1C ADD ESP,1C
100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI

HP Data Protector Express SSE 4.x
HP Data Protector Express SSE 3.x
HP Data Protector Express 4.x
HP Data Protector Express 3.x
厂商补丁：

HP

HP已经为此发布了一个安全公告（HPSBMA02417）以及相应补丁:
HPSBMA02417：SSRT090031 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
链接：<a href=“http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DEO_5w..T.HP34.1soQ.bW89MQ__DCPWFQR0” target=“_blank”>http://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DEO_5w..T.HP34.1soQ.bW89MQ__DCPWFQR0</a>