[Full-disclosure] Invalid memory access in Acronis True Image Group Server 1.5.19.191


#######################################################################

Luigi Auriemma

Application: Acronis True Image Group Server
http://www.acronis.com/enterprise/products/ATIES/group-server.html
Versions: <= 1.5.19.191
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
Bug: invalid memory access
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Acronis Group Server is a component of Acronis True Image Echo Server
(Workstation and Enterprise packages) which "allows the viewing and
managing of backup tasks for all systems in the network from the
Acronis Management Console".


#######################################################################

======
2) Bug
======


The packets used by this server contain some 16 bit fields which
specify the length of the subsequent data.
The problem is that the memory assigned for each packet is about 2048
bytes so the server allocates the amount of memory specified by that 16
bit field and then tries to copy the data from the packet into this new
buffer with the subsequent crash of the service due to an invalid read
access.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/acrogroup.txt

nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Invalid memory access in Acronis True Image Group Server 1.5.19.191
    ... Acronis True Image Group Server ... (included in Acronis True Image Enterprise Server ... and the other True Image packages) ...
    (Bugtraq)
  • RE: Not enough sotrage is available to complete this operation
    ... I understand after you installed Acronis True Image 9.1 on ... your Server, you encountered a couple of issue, for example: ... not startup, Windows Installer isn't responding, etc, As this issue is ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Invalid memory access in Acronis True Image Group Server 1.5.19.191
    ... but why no fix ??? ... Acronis True Image Group Server ... Acronis Group Server is a component of Acronis True Image Echo Server ...
    (Full-Disclosure)
  • isa 2004 and acronis
    ... On a server in my network I have Acronis Enterprise installed. ... Now I want to make an image of isa 2004 via the management console of Acronis. ... Acronis True Image Enterprise Server uses the following ports and IP addresses for remote operation: ... server TCP port: 9876, if busy chose port at random ...
    (microsoft.public.isa.configuration)
  • Isa and Acronis
    ... On a server in my network I have Acronis Enterprise installed. ... On the ISA ... Acronis True Image Enterprise Server uses the following ports and IP ... server TCP port: 9876, ...
    (microsoft.public.isa)