The best practice for installations of EMC Replication Manager is to register a Replication Manager Client (irccd.exe) instance with the appropiate Replication Manager Server (ird.exe) as soon as the client software is installed on a host. Registration is performed by Replication Manager administrators from within the Replication Manager Server. In the time span exposed before registering a Replication Manager Client instance with a Replication Manager Server, the RunProgram function of the Replication Manager Client instance can be invoked with arbitrary arguments by remote unauthenticated attackers in order to execute arbitrary code with SYSTEM privileges on the vulnerable machine. This module exploits this misconfiguration scenario in order to install an agent on machines running still unregistered instances of EMC Replication Manager Client.
Wednesday, October 24, 2012 - 00:00