Search This Blog

Thursday, November 29, 2007

[NT] TIBCO Rendezvous RVD Daemon Memory Leak DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

TIBCO Rendezvous RVD Daemon Memory Leak DoS
------------------------------------------------------------------------


SUMMARY

The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which when
remotely triggered, prevents any further RV communication until the daemon
is manually restarted.

DETAILS

Vulnerable Systems:
* Rendezvous versions 7.5.2, 7.5.3 and 7.5.4

Immune Systems:
* Rendezvous version 8.0

The RV daemon (RVD) within TIBCO's Rendezvous messaging product is
responsible for the communication of messages between RV-enabled
applications. The vulnerability exists as the result of an error in the
code that parses information within one of the headers in a TIBCO
proprietary network protocol packet.

Technical Details:
Within a Rendezvous "wire format" TCP packet, the first four bytes
represent the number of bytes of data to expect within the packet, for
example:

"\x00\x00\x00\x7c" //total length of data in packet
"\x99\x55\xee\xaa" // "magic" number
"\x06" // number of following bytes including null
"\x6d\x74\x79\x70\x65\x00" //the text "mtype"
..etc

In the above example the number of data bytes in the packet is "0x7c", or
124 bytes. If this value is set to zero in a packet sent to the RVD daemon
then it stops responding to all subsequent communication. This appears to
result from a memory leak, which continues to attempt to allocate memory.
Eventually, operating system alert messages start to appear, warning that
the virtual memory in the underlying operating system is running low.

Vendor & Patch Information:
TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented as
being fixed in the release notes as follows:

1-84MR37 - Fixed a daemon memory growth defect associated with messages of
length zero


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@irmplc.com> IRM
Research.
The original article can be found at:
<http://www.irmplc.com/index.php/160-Advisory-025>

http://www.irmplc.com/index.php/160-Advisory-025

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: