lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Jun 2009 15:59:18 +0530 From: iViZ Security Advisories <advisories@...zsecurity.com> To: full-disclosure@...ts.grok.org.uk Subject: [IVIZ-09-003] CA ARCserve Denial of Service ----------------------------------------------------------------------- ------ [ iViZ Security Advisory 09-003 16/06/2009 ] ----------------------------------------------------------------------- ------ iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com ----------------------------------------------------------------------- * Title: CA ARCserve Denial of Service * Software: CA ARCserver Backup r12 SP1 --[ Synopsis: CA ARCserve Backup is vulnerable to a Denial of Service when a crafted packet is sent to the CA ARCserve Message Engine Service. --[ Affected Software: * CA ARCserver Backup r12 SP1 * Others versions may also be affected --[ Technical description: CA ARCserrve is vulnerable to a Denial of Service when a crafted RPC packet is sent to the Message engine service listening at 6503/TCP port. The interface informations are as follows [ uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838), version(1.0) ] interface mIDA_interface { /* opcode: 0x13 */ long ( [in] long arg_1, [in] short arg_2, [in][size_is(65536), length_is(65536)] char * arg_3, [in] long arg_4, [out] long * arg_5 ); } When a crafted RPC packet with values such as arg_1 = 0x1 arg_4 = 0x1 arg_3 = { a character array of 65536 } will crash the message engine service. The bug exists in the ASCORE module and there exists more than one way to reach the buggy code. Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port 2123A736 6A 00 PUSH 0 <- Pushes 0x0 2123A738 55 PUSH EBP 2123A739 E8 F20B0000 CALL ASCORE.2123B330 2123A73E 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] #ASCORE.2123B330 2123B330 51 PUSH ECX 2123B331 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] <- Copies 0x0 from stack to ECX 2123B335 8A81 1E010000 MOV AL,BYTE PTR DS:[ECX+11E] <- Bug: Access Violation 2123B33B 3C 03 CMP AL,3 --[ Impact: Denial of Service --[ Vendor response: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502 --[ Credits: This vulnerability was discovered by Nibin Varghese from iViZ Security Research Team http://www.ivizsecurity.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists