[NT] Computer Associates BrightStor ARCserve Backup Code Execution Vulnerability (6502)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 24 Jan 2007 19:25:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Computer Associates BrightStor ARCserve Backup Code Execution
Vulnerability (6502)
------------------------------------------------------------------------
SUMMARY
" <http://www3.ca.com/solutions/ProductFamily.aspx?ID=115> BrightStor
ARCserve Backup provides a complete, flexible and integrated backup and
recovery solution for Windows, NetWare, Linux and UNIX environments." A
vulnerability in one of CA's BrightStor ARCserve services allows remote
attackers to cause the product to overflow an internal buffer.
DETAILS
Vulnerable Systems:
* BrightStor ARCserve Backup R11.5
* BrightStor ARCserve Backup R11.1
* BrightStor ARCserve Backup R11
* BrightStor ARCserve Backup v9.01
* BrightStor Enterprise Backup 10.5
A vulnerability discovered in Computer Associates BrightStor ARCserve
Backup v11.5, which could be exploited by an anonymous attacker in order
to execute arbitrary code with SYSTEM privileges on an affected system.
The flaw specifically exists within the Tape Engine (tapeeng.exe) due to
incorrect handling of RPC requests on TCP port 6502. The interface is
identified by 62b93df0-8b02-11ce-876c-00805f842837. Opnum 191 specifies
the vulnerable operation within this interface.
This specific flaw allows for redirection of code by manipulating a
variable on the stack. This variable is referenced later and can be abused
in the following call:
00264DFE CALL DWORD PTR DS:[EAX+C] ;EAX is controllable.
The following code modifies the stack variable:
STACK before REP instruction
01C9FA2C 01C9FB84
01C9FA30 00000000 VAR
01C9FA34 02860286
01C9FA38 00000002
01C9FA3C 01C9FAD0
01C9FA40 /01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
RPCRT4
77D36CD9 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ;Our address is
stored in VAR
..
77D36CE3 MOV EAX,DWORD PTR SS:[EBP+8] ;TAPEEN_1.002A2E60
77D36CE6 CALL EAX
STACK after REP instruction
01C9FA2C 0014DB88
01C9FA30 00172CDC Our address
01C9FA34 02860286
01C9FA38 00000002
01C9FA3C 01C9FAD0
01C9FA40 /01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
TAPEEN_1
002A2E60 MOV EAX,DWORD PTR SS:[ESP+8] ;Our address
002A2E64 PUSH EAX
002A2E65 CALL TAPEEN_1.00264DB0
STACK after CALL TAPEEN_1.00264DB0
01C9FA1C /01C9FA40 EBP
01C9FA20 |002A2E6A RETURN to TAPEEN_1.002A2E6A from TAPEEN_1.00264DB0
01C9FA24 |00172CDC PUSHED EAX
01C9FA28 |77D36CE8 RETURN to RPCRT4.77D36CE8
01C9FA2C |0014DB88
01C9FA30 |00172CDC Our address
01C9FA34 |02860286
01C9FA38 |00000002
01C9FA3C |01C9FAD0
01C9FA40 ]01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
TAPEEN_1
00264DB0 PUSH EBP
00264DB1 MOV EBP,ESP
..
00264DF1 MOV ESI,DWORD PTR SS:[EBP+8] ;Our address is stored in ESI
00264DF4 MOV EAX,DWORD PTR DS:[ESI+334] ;The data referenced by ESI+334 is
moved to EAX
00264DFA MOV ECX,DWORD PTR DS:[EAX+18]
00264DFD PUSH ECX
00264DFE CALL DWORD PTR DS:[EAX+C] ;The data referenced by EAX+C is called
Disclosure Timeline:
* 10/04/2006 - Reported.
* 01/11/2007 - Release.
ADDITIONAL INFORMATION
The information has been provided by LSSEC.
The original article can be found at:
<http://www.lssec.com/advisories/LS-20061002.pdf>
http://www.lssec.com/advisories/LS-20061002.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
- Next by Date: [NT] Computer Associates BrightStor ARCserve Backup Buffer Overflow Vulnerability (6502)
- Previous by thread: [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
- Next by thread: [NT] Computer Associates BrightStor ARCserve Backup Buffer Overflow Vulnerability (6502)
- Index(es):
Relevant Pages
|
