[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <17b254f0906160329r5c68db5chd8b7990d6184d6b@mail.gmail.com>
Date: Tue, 16 Jun 2009 15:59:18 +0530
From: iViZ Security Advisories <advisories@...zsecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [IVIZ-09-003] CA ARCserve Denial of Service
-----------------------------------------------------------------------
------
[ iViZ Security Advisory 09-003 16/06/2009 ]
-----------------------------------------------------------------------
------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
-----------------------------------------------------------------------
* Title: CA ARCserve Denial of Service
* Software: CA ARCserver Backup r12 SP1
--[ Synopsis:
CA ARCserve Backup is vulnerable to a Denial of Service
when a crafted packet is sent to the CA ARCserve Message
Engine Service.
--[ Affected Software:
* CA ARCserver Backup r12 SP1
* Others versions may also be affected
--[ Technical description:
CA ARCserrve is vulnerable to a Denial of Service when a crafted
RPC packet is sent to the Message engine service listening at
6503/TCP port.
The interface informations are as follows
[
uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),
version(1.0)
]
interface mIDA_interface
{
/* opcode: 0x13 */
long (
[in] long arg_1,
[in] short arg_2,
[in][size_is(65536), length_is(65536)] char * arg_3,
[in] long arg_4,
[out] long * arg_5
);
}
When a crafted RPC packet with values such as
arg_1 = 0x1
arg_4 = 0x1
arg_3 = { a character array of 65536 }
will crash the message engine service. The bug exists in
the ASCORE module and there exists more than one way to
reach the buggy code.
Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port
2123A736 6A 00 PUSH 0 <- Pushes 0x0
2123A738 55 PUSH EBP
2123A739 E8 F20B0000 CALL ASCORE.2123B330
2123A73E 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
#ASCORE.2123B330
2123B330 51 PUSH ECX
2123B331 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] <- Copies
0x0 from stack to ECX
2123B335 8A81 1E010000 MOV AL,BYTE PTR DS:[ECX+11E] <- Bug:
Access Violation
2123B33B 3C 03 CMP AL,3
--[ Impact:
Denial of Service
--[ Vendor response:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502
--[ Credits:
This vulnerability was discovered by Nibin Varghese from
iViZ Security Research Team
http://www.ivizsecurity.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists