[VulnWatch] iDEFENSE Security Advisory 02.09.05: CA BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow

From: iDefense Customer Service (customerservice_at_idefense.com)
Date: 02/10/05

  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 02.10.05: IBM AIX lspath Local File Access Vulnerability" 
    Date: Wed, 9 Feb 2005 18:16:07 -0500
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>

    Computer Associates BrightStor ARCserve Backup v11 Discovery Service
    Remote Buffer Overflow Vulnerability

    iDEFENSE Security Advisory 02.09.05
    www.idefense.com/application/poi/display?id=194&type=vulnerabilities
    February 09, 2005

    I. BACKGROUND

    BrightStor ARCserve Backup for Windows delivers backup and restore
    protection for all Windows server systems as well as Windows, Linux,
    Mac OS X and UNIX client environments.

    http://www3.ca.com/Solutions/ProductFamily.asp?ID=115

    II. DESCRIPTION

    Remote exploitation of a buffer overflow vulnerability in Computer
    Associates International Inc's BrightStor ARCserve Backup v11 Discovery
    Service may allow execution of arbitrary code.

    The BrightStor software will automatically detect other BrightStor
    (ARCserve) servers on the local network. It does this by sending UDP
    probe messages to the broadcast address on the network. Each system
    running the BrightStor software listens for these probes and replies
    back to IP address embedded in the data of the packet. The Discovery
    service listens on UDP port 41524 for these probe requests.

    III. ANALYSIS

    When a UDP probe is received by the Discovery Service, a stack overflow
    can occur if the data is larger than the temporary buffer. The
    recvfrom() call made by the service accepts up to 4096 bytes, however
    the buffer it is copied to is slightly less than 1000 bytes. The return
    address can be overwritten by sending a message that is at least 967
    bytes long. As the service runs as 'Local System', exploitation of this
    vulnerability allows running arbitrary code with superuser privileges.

    IV. DETECTION

    Computer Associates BrightStor ARCserve Backup v11 (Win32) has been
    confirmed vulnerable.

    V. WORKAROUND

    Employ firewalls, access control lists or other TCP/UDP restriction
    mechanism to limit access to systems and services.

    VI. VENDOR RESPONSE

    http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp

    The following vendor patches have been made available:

    BrightStor ARCserve Backup r11.1 for Windows - All Languages -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6276
    9

    BrightStor ARCserve Backup r11.0 for Windows - All Languages -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6276
    8

    BrightStor Enterprise Backup v10.5 for Windows -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6277
    0

    BrightStor Enterprise Backup v10.0 for Windows -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6277
    1

    BrightStor ARCserve Backup v9.01 for Windows - All Languages -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6276
    7

    BrightStor ARCserve 2000 Backup for Windows (Japanese Only) -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6276
    6

    BrightStor ARCserve Backup r11.1 for NetWare
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6293
    6

    BrightStor ARCserve Backup v9 for NetWare
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6277
    2

    BrightStor ARCserve Backup r11.1 for Windows - 64 Bit Edition -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6299
    0

    BrightStor ARCserve Backup r11.0 for Windows - 64 Bit Edition -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6298
    9

    BrightStor Enterprise Backup v10.5 for Windows - 64 Bit Edition -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6299
    1

    BrightStor ARCserve Backup v9.01 for Windows - 64 Bit Edition -
    http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO6298
    7

    VII. CVE INFORMATION

    A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    been assigned yet.

    VIII. DISCLOSURE TIMELINE

    11/12/2004 Initial vendor notification
    11/15/2004 Initial vendor response
    02/09/2005 Public disclosure

    IX. CREDIT

    This vulnerability was discovered independently by two contributors,
    one of whom is Patrik Karlsson. The other wishes to remain anonymous.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 02.10.05: IBM AIX lspath Local File Access Vulnerability"

    Relevant Pages