[NT] Computer Associates BrightStor ARCserve Backup Buffer Overflow Vulnerability (6502)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 24 Jan 2007 19:19:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Computer Associates BrightStor ARCserve Backup Buffer Overflow
Vulnerability (6502)
------------------------------------------------------------------------
SUMMARY
" <http://www3.ca.com/solutions/ProductFamily.aspx?ID=115> BrightStor
ARCserve Backup provides a complete, flexible and integrated backup and
recovery solution for Windows, NetWare, Linux and UNIX environments." A
vulnerability in one of CA's BrightStor ARCserve services allows remote
attackers to cause the product to overflow an internal buffer.
DETAILS
Vulnerable Systems:
* BrightStor ARCserve Backup version R11.5 Server pre SP2.
A vulnerability discovered in Computer Associates BrightStor ARCserve
Backup v11.5, which could be exploited by an anonymous attacker in order
to execute arbitrary code with SYSTEM privileges on an affected system.
The flaw specifically exists within the Tape Engine (tapeeng.exe) due to
incorrect handling of RPC requests on TCP port 6502. The interface is
identified by 62b93df0-8b02-11ce-876c-00805f842837. Opnum 38 specifies the
vulnerable operation within this interface.
TAPEUTIL.dll v11.5.3884.0 contains a buffer overflow vulnerability due to
incongruous use of vsprintf()
00512143 MOV ECX, DWORD PTR SS:[ESP+840] ; fmt
0051214A LEA EAX, DWORD PTR SS:[ESP+844] ; arglist
00512151 PUSH EAX
00512152 LEA EDX, DWORD PTR SS:[ESP+43C] ; dst
00512159 PUSH ECX
0051215A PUSH EDX
0051215B CALL DWORD PTR DS:[<&MSVCRT.vsprintf>] ; MSVCRT.vsprintf
fmt: " GRP: ReserveGroup-> Group[%s] hJob[%p] JobID[%d] Owner[%s]"
This specific flaw requires the Message Log Level to be set to either
Detail or Detail, with Read/Writes. Following Log Levels are available:
0x00: None
0x01: Summary
0x02: Detail
0x03: Detail, with Read/Writes
Following Output Types are available:
0x00: Both, Screen and File
0x01: Screen Only
0x02: File Only
Each Log Level / Output Type is represented by a specific ID which is
stored in the .data section of TAPEUTIL.dll and queried before data is
getting logged. The Log Level ID is stored at 0x6F7410 and the Output Type
at 0x6F7418. Sending a packet with the following stub to Opnum 43 allows
us to change the Log Level remotely:
+00h DWORD
+04h DWORD <Log Level>
+08h DWORD <Output Type>
+0Ch DWORD
+10h DWORD
Patch Availability:
Service Pack 2 resolves this issue.
ADDITIONAL INFORMATION
The information has been provided by LSSEC.
The original article can be found at:
<http://www.lssec.com/advisories/LS-20061001.pdf>
http://www.lssec.com/advisories/LS-20061001.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Computer Associates BrightStor ARCserve Backup Code Execution Vulnerability (6502)
- Next by Date: [NEWS] IP Phones Based on PA168 Chipset Have Weak Session Management
- Previous by thread: [NT] Computer Associates BrightStor ARCserve Backup Code Execution Vulnerability (6502)
- Next by thread: [NEWS] IP Phones Based on PA168 Chipset Have Weak Session Management
- Index(es):
Relevant Pages
|
|
