Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerabil

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability
Date: 8 Oct 2006 16:01:18 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Computer Associates ARCserver Backup. 
Authentication is not required exploit this vulnerability and both the 
client and server are affected.

DETAILS

Vulnerable Systems:
 * BrightStor ARCserver Backup version R11.5 Client
 * BrightStor ARCserver Backup version R11.5 Server

The problem specifically exists within the handling of long messages 
received over the Mailslot named 'CheyenneDS'. As no explicit 
MaxMessageSize is supplied in the call to CreateMailslot, an attacker can 
cause an exploitable stack-based buffer overflow.

The vulnerable Mailslot creation occurs:

   casdscsvc.exe -> Asbrdcst.dll
   20C14E8C push 0                  ; lpSecurityAttributes
   20C14E8E push 0                  ; lReadTimeout
   20C14E90 push 0                  ; nMaxMessageSize
   20C14E92 push offset Name        ; "\\\\.\\mailslot\\CheyenneDS"
   20C14E97 stosb
   20C14E98 call ds:CreateMailslotA
   20C14E9E cmp eax, INVALID_HANDLE_VALUE
   20C14EA1 mov mailslot_handle, eax

Note there is no explicit MaxMessageSize specified. Later the mailslot 
handle is read from into a 4k buffer. The read data is also passed to a 
routine which calls vsprintf into a 1k buffer.

   casdscsvc.exe -> Asbrdcst.dll
   20C15024 mov eax, mailslot_handle
   20C15029 lea edx, [esp+1044h+Buffer_4k]
   20C1502D push ecx                          ; nNumberOfBytesToRead
   20C1502E push edx                          ; lpBuffer
   20C1502F push eax                          ; hFile
   20C15030 call edi ; ReadFile
   20C15032 test eax, eax
   20C15034 jz  short read_failed
   20C15036 lea ecx, [esp+3Dh]
   20C1503A push ecx                          ; char
   20C1503B push offset str_ReadmailslotS     ; "ReadMailSlot: %s\n"
   20C15040 call not_interesting_call_to_vsnprtinf
   20C15045 add esp, 8
   20C15048 lea edx, [esp+3Dh]
   20C1504C push edx                          ; va_list
   20C1504D push offset str_ReadmailslotS_0   ; "ReadMailSlot: %s"
   20C15052 push 0                            ; for_debug_log
   20C15054 call vsprintf_into_1024_stack_buf_and_debug_log

As mentioned in TSRT-06-02, exploitation of this vulnerability is possible 
due to the ability to exceeding the second-class Mailslot message size 
limitation.

Vendor Response:
Computer Associates has issued an update to correct this vulnerability. 
More details can be found at:  
<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp> 
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp

Disclosure Timeline:
2006.03.27 - Digital Vaccine released to TippingPoint customers
2006.04.27 - Vulnerability reported to vendor
2006.10.05 - Coordinated public release of advisory


ADDITIONAL INFORMATION

The information has been provided by  <mailto:TSRT@3com.com> Pedram Amini, 
TippingPoint Security Research Team.
The original article can be found at:  
<http://www.tippingpoint.com/security/advisories/TSRT-06-12.html> 
http://www.tippingpoint.com/security/advisories/TSRT-06-12.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [UNIX] Invision Power Board Multiple Vulnerabilities (Toolbox SQL), SecuriTeam
Next by Date:  [NT] CA Multiple Product DBASVR RPC Server Multiple Buffer Overflow Vulnerabilities, SecuriTeam
Previous by Thread:  [UNIX] Invision Power Board Multiple Vulnerabilities (Toolbox SQL), SecuriTeam
Next by Thread:  [NT] CA Multiple Product DBASVR RPC Server Multiple Buffer Overflow Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]