[NT] CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Computer Associates ARCserver Backup.
Authentication is not required exploit this vulnerability and both the
client and server are affected.

DETAILS

Vulnerable Systems:
* BrightStor ARCserver Backup version R11.5 Client
* BrightStor ARCserver Backup version R11.5 Server

The problem specifically exists within the handling of long messages
received over the Mailslot named 'CheyenneDS'. As no explicit
MaxMessageSize is supplied in the call to CreateMailslot, an attacker can
cause an exploitable stack-based buffer overflow.

The vulnerable Mailslot creation occurs:

casdscsvc.exe -> Asbrdcst.dll
20C14E8C push 0 ; lpSecurityAttributes
20C14E8E push 0 ; lReadTimeout
20C14E90 push 0 ; nMaxMessageSize
20C14E92 push offset Name ; "\\\\.\\mailslot\\CheyenneDS"
20C14E97 stosb
20C14E98 call ds:CreateMailslotA
20C14E9E cmp eax, INVALID_HANDLE_VALUE
20C14EA1 mov mailslot_handle, eax

Note there is no explicit MaxMessageSize specified. Later the mailslot
handle is read from into a 4k buffer. The read data is also passed to a
routine which calls vsprintf into a 1k buffer.

casdscsvc.exe -> Asbrdcst.dll
20C15024 mov eax, mailslot_handle
20C15029 lea edx, [esp+1044h+Buffer_4k]
20C1502D push ecx ; nNumberOfBytesToRead
20C1502E push edx ; lpBuffer
20C1502F push eax ; hFile
20C15030 call edi ; ReadFile
20C15032 test eax, eax
20C15034 jz short read_failed
20C15036 lea ecx, [esp+3Dh]
20C1503A push ecx ; char
20C1503B push offset str_ReadmailslotS ; "ReadMailSlot: %s\n"
20C15040 call not_interesting_call_to_vsnprtinf
20C15045 add esp, 8
20C15048 lea edx, [esp+3Dh]
20C1504C push edx ; va_list
20C1504D push offset str_ReadmailslotS_0 ; "ReadMailSlot: %s"
20C15052 push 0 ; for_debug_log
20C15054 call vsprintf_into_1024_stack_buf_and_debug_log

As mentioned in TSRT-06-02, exploitation of this vulnerability is possible
due to the ability to exceeding the second-class Mailslot message size
limitation.

Vendor Response:
Computer Associates has issued an update to correct this vulnerability.
More details can be found at:
<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp> http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp

Disclosure Timeline:
2006.03.27 - Digital Vaccine released to TippingPoint customers
2006.04.27 - Vulnerability reported to vendor
2006.10.05 - Coordinated public release of advisory


ADDITIONAL INFORMATION

The information has been provided by <mailto:TSRT@xxxxxxxx> Pedram Amini,
TippingPoint Security Research Team.
The original article can be found at:
<http://www.tippingpoint.com/security/advisories/TSRT-06-12.html>
http://www.tippingpoint.com/security/advisories/TSRT-06-12.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Winamp ID3v2 Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer overflow vulnerability when processing ... control the EAX register, ...
    (Securiteam)
  • [EXPL] Opera JPEG Processing Heap Corruption Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera JPEG Processing Heap Corruption Vulnerabilities ... - ntdll.RtlAllocateHeapDHT vulnerability ... 74E5D7E0 mov edi, eax ...
    (Securiteam)
  • [NT] Microsoft SRV.SYS Mailslot Ring0 Memory Corruption (MS06-035)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerable installations of the Microsoft Windows operating system. ... Mailslot communications are divided into two classes. ... It is important to note that this vulnerability affects more than just the ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)
  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)