lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Jun 2009 15:59:18 +0530
From: iViZ Security Advisories <advisories@...zsecurity.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [IVIZ-09-003] CA ARCserve Denial of Service

-----------------------------------------------------------------------
------
[ iViZ Security Advisory 09-003                            16/06/2009 ]

-----------------------------------------------------------------------
------
iViZ Techno Solutions Pvt. Ltd.

                                            http://www.ivizsecurity.com

-----------------------------------------------------------------------



* Title:     CA ARCserve Denial of Service

* Software:  CA ARCserver Backup r12 SP1



--[ Synopsis:



    CA ARCserve Backup is vulnerable to a Denial of Service

    when a crafted packet is sent to the CA ARCserve Message

    Engine Service.



--[ Affected Software:



  * CA ARCserver Backup r12 SP1

  * Others versions may also be affected



--[ Technical description:



    CA ARCserrve is vulnerable to a Denial of Service when a crafted

    RPC packet is sent to the Message engine service listening at

    6503/TCP port.



    The interface informations are as follows



	[

	 uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),

	 version(1.0)

	]



	interface mIDA_interface

	{

	

	/* opcode: 0x13 */

	

	long  (

	 [in] long arg_1,

	 [in] short arg_2,

	 [in][size_is(65536), length_is(65536)] char * arg_3,

	 [in] long arg_4,

	 [out] long * arg_5

	);



	}



  When a crafted RPC packet with values such as

		arg_1 = 0x1

		arg_4 = 0x1

		arg_3 = { a character array of 65536 }

  will crash the message engine service. The bug exists in

  the ASCORE module and there exists more than one way to

  reach the buggy code.



  Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port

	2123A736   6A 00             PUSH 0					<- Pushes 0x0

	2123A738   55                PUSH EBP

	2123A739   E8 F20B0000       CALL ASCORE.2123B330

	2123A73E   8B4C24 10         MOV ECX,DWORD PTR SS:[ESP+10]

	

	#ASCORE.2123B330

	2123B330   51                PUSH ECX

	2123B331   8B4C24 08         MOV ECX,DWORD PTR SS:[ESP+8]  	<- Copies
0x0 from stack to ECX

	2123B335   8A81 1E010000     MOV AL,BYTE PTR DS:[ECX+11E]	<- Bug:
Access Violation

	2123B33B   3C 03             CMP AL,3





--[ Impact:



    Denial of Service



--[ Vendor response:



   https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502



--[ Credits:



    This vulnerability was discovered by Nibin Varghese from

    iViZ Security Research Team

    http://www.ivizsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists