[Full-disclosure] NULL pointer in Acronis True Image Windows Agent 1.0.0.54


#######################################################################

Luigi Auriemma

Application: Acronis True Image Windows Agent
http://www.acronis.com/enterprise/products/ATIES/windows-agent.html
Versions: <= 1.0.0.54
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
Linux is not affected
Bug: NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Acronis Agent is an essential component of Acronis True Image Echo
Server (Workstation and Enterprise packages) and is a server running on
the TCP and UDP port 9876 which allows the local and remote management
of Acronis TrueImage.

The Acronis True Image Windows Agent must be not confused with the
Acronis Snap Deploy Management Agent which uses the same ports but a
different protocol and so it's not affected by this bug.


#######################################################################

======
2) Bug
======


A NULL pointer vulnerability can be exploited through the sending of a
malformed packet to the server causing its immediate termination.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/acroagent.txt

nc SERVER 9876 -v -v < acroagent.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • RE: Not enough sotrage is available to complete this operation
    ... I understand after you installed Acronis True Image 9.1 on ... your Server, you encountered a couple of issue, for example: ... not startup, Windows Installer isn't responding, etc, As this issue is ...
    (microsoft.public.windows.server.sbs)
  • [NT] NULL pointer in Acronis True Image Windows Agent
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Acronis Agent is "an essential component of Acronis True Image Echo Server ... The Acronis True Image Windows Agent must be not confused with the Acronis ...
    (Securiteam)
  • NULL pointer in Acronis True Image Windows Agent 1.0.0.54
    ... Acronis True Image Windows Agent ... Server and is a server running on ...
    (Bugtraq)
  • Re: [Full-disclosure] Invalid memory access in Acronis True Image Group Server 1.5.19.191
    ... but why no fix ??? ... Acronis True Image Group Server ... Acronis Group Server is a component of Acronis True Image Echo Server ...
    (Full-Disclosure)
  • isa 2004 and acronis
    ... On a server in my network I have Acronis Enterprise installed. ... Now I want to make an image of isa 2004 via the management console of Acronis. ... Acronis True Image Enterprise Server uses the following ports and IP addresses for remote operation: ... server TCP port: 9876, if busy chose port at random ...
    (microsoft.public.isa.configuration)