CVE-2009-1120
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on EMC RepliStor Server Service systems by sending specially crafted packets to the rep_srv.exe process. The flaw exists in the DoRcvRpcCall RPC function, enabling complete system compromise. All systems running vulnerable versions of EMC RepliStor Server Service before ESA-09-003 are affected.
💻 Affected Systems
- EMC RepliStor Server Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data theft, lateral movement within network, and persistent backdoor installation.
Likely Case
Remote code execution leading to malware deployment, data exfiltration, and system compromise.
If Mitigated
Limited impact if network segmentation, firewalls, and intrusion prevention systems block RPC traffic from untrusted sources.
🎯 Exploit Status
ZDI-09-068 advisory includes technical details. The unauthenticated nature and high CVSS score suggest weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ESA-09-003
Vendor Advisory: https://www.emc.com/security-advisories
Restart Required: Yes
Instructions:
1. Download ESA-09-003 patch from EMC support portal. 2. Apply patch to all RepliStor Server Service instances. 3. Restart the rep_srv.exe service or reboot system.
🔧 Temporary Workarounds
Network Segmentation
windowsBlock RPC traffic to rep_srv.exe from untrusted networks using firewalls.
netsh advfirewall firewall add rule name="Block RepliStor RPC" dir=in action=block protocol=TCP localport=135,445,1024-65535 remoteip=any program="%ProgramFiles%\EMC\RepliStor\rep_srv.exe"
Service Restriction
windowsConfigure Windows Firewall to restrict access to RepliStor service to trusted IPs only.
netsh advfirewall firewall add rule name="Allow RepliStor Trusted" dir=in action=allow protocol=TCP localport=any remoteip=192.168.1.0/24,10.0.0.0/8 program="%ProgramFiles%\EMC\RepliStor\rep_srv.exe"
netsh advfirewall firewall add rule name="Block RepliStor Untrusted" dir=in action=block protocol=TCP localport=any remoteip=any program="%ProgramFiles%\EMC\RepliStor\rep_srv.exe"
🧯 If You Can't Patch
- Disable RepliStor Server Service if not required for operations.
- Implement strict network access controls to limit RPC traffic to trusted management systems only.
🔍 How to Verify
Check if Vulnerable:
Check if rep_srv.exe is running and accessible on network ports. Review EMC RepliStor version against ESA-09-003.Check Version:
wmic product where "name like 'EMC RepliStor%'" get versionVerify Fix Applied:
Verify ESA-09-003 patch is installed and rep_srv.exe service version is updated. Test RPC connectivity to confirm service still functions.📡 Detection & Monitoring
Log Indicators:
- Unusual RPC connections to rep_srv.exe process
- Failed authentication attempts followed by successful RPC calls
- Process creation from rep_srv.exe with unusual parameters
Network Indicators:
- RPC traffic to RepliStor service from unexpected sources
- Malformed RPC packets targeting port 135 or dynamic RPC ports
- Network scans for rep_srv.exe service
SIEM Query:
source="windows" AND process="rep_srv.exe" AND (event_id=4688 OR event_id=5156) AND (destination_port=135 OR rpc_interface_uuid=*)🔗 References
- http://www.zerodayinitiative.com/advisories/ZDI-09-068/
- https://fortiguard.com/encyclopedia/ips/17967/emc-replistor-server-service-doasocommand-code-execution
- http://www.zerodayinitiative.com/advisories/ZDI-09-068/
- https://fortiguard.com/encyclopedia/ips/17967/emc-replistor-server-service-doasocommand-code-execution
