[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080310224728.0354dba9.aluigi@autistici.org>
Date: Mon, 10 Mar 2008 22:47:28 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org
Subject: Invalid memory access in Acronis True Image Group
Server 1.5.19.191
#######################################################################
Luigi Auriemma
Application: Acronis True Image Group Server
http://www.acronis.com/enterprise/products/ATIES/group-server.html
Versions: <= 1.5.19.191
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
Bug: invalid memory access
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Acronis Group Server is a component of Acronis True Image Echo Server
(Workstation and Enterprise packages) which "allows the viewing and
managing of backup tasks for all systems in the network from the
Acronis Management Console".
#######################################################################
======
2) Bug
======
The packets used by this server contain some 16 bit fields which
specify the length of the subsequent data.
The problem is that the memory assigned for each packet is about 2048
bytes so the server allocates the amount of memory specified by that 16
bit field and then tries to copy the data from the packet into this new
buffer with the subsequent crash of the service due to an invalid read
access.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/acrogroup.txt
nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists