lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 10 Mar 2008 22:47:28 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Invalid memory access in Acronis True Image Group Server 1.5.19.191


#######################################################################

                             Luigi Auriemma

Application:  Acronis True Image Group Server
              http://www.acronis.com/enterprise/products/ATIES/group-server.html
Versions:     <= 1.5.19.191
              (included in Acronis True Image Enterprise Server
              9.5.0.8072 and the other True Image packages)
Platforms:    Windows
Bug:          invalid memory access
Exploitation: remote
Date:         08 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Acronis Group Server is a component of Acronis True Image Echo Server
(Workstation and Enterprise packages) which "allows the viewing and
managing of backup tasks for all systems in the network from the
Acronis Management Console".


#######################################################################

======
2) Bug
======


The packets used by this server contain some 16 bit fields which
specify the length of the subsequent data.
The problem is that the memory assigned for each packet is about 2048
bytes so the server allocates the amount of memory specified by that 16
bit field and then tries to copy the data from the packet into this new
buffer with the subsequent crash of the service due to an invalid read
access.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/acrogroup.txt

  nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ