Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0786 -- [Win] CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference 12 October 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BrightStor ARCserve Backup Publisher: eEye Digital Security Operating System: Windows Impact: Execute Arbitrary Code/Commands Increased Privileges Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-5325 CVE-2007-5326 CVE-2007-5327 CVE-2007-5328 CVE-2007-5329 CVE-2007-5330 CVE-2007-5331 CVE-2007-5332 Original Bulletin: http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp - --------------------------BEGIN INCLUDED TEXT-------------------- CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference Release Date: October 11, 2007 Date Reported: June 18, 2007 Severity: High (Remote Code Execution) Vendor: Computer Associates (CA) Systems Affected: BrightStor ARCserve Backup 11.5 BrightStor ARCserve Backup 11.1 BrightStor ARCserve Backup 11.0 BrightStor ARCserve Backup 10.5 BrightStor ARCserve Backup 9.01 Overview: eEye Digital Security has discovered a remote vulnerability in CA BrightStor ARCserve Backup Server that allows an attacker to execute arbitrary code as SYSTEM without any user interaction. The exploit is extremely reliable and can be successfully delivered either across the internet or within local networks via a random TCP port that is disclosed by the BrightStor portmapper service on TCP/111. Technical Details: A remote vulnerability lies within Queue.dll (Version 11.5.4402.15 and prior) when handling a malformed ONRPC protocol request sent to CA BrightStor's ARCserve Backup message queuing service, LQserver.exe. BrightStor uses a protocol similar to a simplified version of RPC called ONCRPC (Open Network Computing Remote Procedure Calls) and is described in the following RFCs: 1831, 1833, and 1832. This vulnerability is only achieved by calling operation 0x76 (Data Queue Request) under the process id of 0x0006097d (LQserver.exe's unique Proc ID). After initiating this procedure, LQServer.exe then calls the vulnerable DLL file, Queue.dll. This procedure inadvertently processes user supplied data and then references that data as variables without any form of sanitation of verification. This is demonstrated below: <lqserver.exe> 100161B0 MOV EDX,DWORD PTR DS:[ECX+4] ; Move Arbitrary Pointer #2 into EDX 100161B3 PUSH EDX ; Push Arbitrary Pointer #2 onto the Stack 100161B4 MOV EAX,DWORD PTR SS:[EBP+8] ; Move (0x0113F8A8 the address to Arbitrary ; Pointer #1) into EAX 100161B7 MOV ECX,DWORD PTR DS:[EAX] ; Move Arbitrary Pointer #1 into ECX 100161B9 PUSH ECX ; Push Arbitrary Pointer #1 onto the Stack 100161BA CALL QUEUE.10012816 ; CALL Vulnerable DLL ... <queue.dll> 1001281C CMP DWORD PTR SS:[EBP+8],0 ; EBP + 8 points to Arbitrary Pointer #1 - This makes ; sure our pointer isn't NULL. 10012820 JNZ SHORT QUEUE.10012829 ; Since our pointer isn't NULL we jump 10012829 MOV EAX,DWORD PTR SS:[EBP+8] ; Load Arbitrary Pointer #1 into EAX 1001282C MOV DWORD PTR SS:[EBP-4],EAX ; Write Arbitrary Pointer into EBP-4 (0x00D39618) 1001282F CMP DWORD PTR DS:[10037884],0 ; This checks for an error message field - NULL ; signifies 'The operation completed successfully' 10012836 JE SHORT QUEUE.10012870 ; Jump is taken 10012870 MOV EAX,DWORD PTR SS:[EBP+C] ; Move Arbitrary Pointer #2 into EAX 10012873 PUSH EAX ; Push Arbitrary Pointer #2 onto the stack 10012874 PUSH QUEUE.10037884 ; Push NULL 10012879 MOV ECX,DWORD PTR SS:[EBP-4] ; Move Arbitrary Pointer #1 into ECX 1001287C MOV EDX,DWORD PTR DS:[ECX] ; Move Arbitrary Pointer #1 into EDX 1001287E MOV ECX,DWORD PTR SS:[EBP-4] ; Move Arbitrary Pointer #1 into ECX 10012881 CALL DWORD PTR DS:[EDX] ; Call Arbitrary Pointer #1 At this point Arbitrary Pointer #1 is referenced and called by Queue.dll, which can then in turn can reference Arbitrary Pointer #2. After referencing Arbitrary Pointer #2, an attacker can completely control code execution and redirect Queue.dll to execute to their own payload. After exploitation, LQserver.exe crashes and must be manually restarted by the "CA Domain Server" service. Protection: Blink - Unified Client Security has proactively protected from these vulnerabilities since their discovery. Retina - Network Security Scanner has been updated to identify these vulnerabilities. Vendor Status: Computer Associates released patches for these vulnerabilities. These patches are available here: http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp Credit: Greg Linares Greetings: Big thanks to Dre and his underappreciated development software, The Super Soeder Bros, Master Chief Maiffret, Silva, Casey, Will, H5N1, Apocalypse Survivor Normalboy, Laughing Man, Jerome Athias, Roland and Waldorf Music Gear, and to all the Giraffes In Wheelchairs. Think you have what it takes to be an eEye Engineer? eEye Digital Security is always looking for good engineers to add to its R&D team. If you have a passion for real-world security research and the drive to create enterprise class solutions, check out our open positions: http://www.eeye.com/html/company/careers/index.html. However, if you prefer to break software rather than make it, Research is always taking resumes at skunkworks@eeye.com. Related Links: Preview - Advanced Security Intelligence - http://www.eeye.com/preview Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRw7xmCh9+71yA2DNAQIO1QP+MLyXhQAQISek1HnWPD/+BB+6EmIl1qoA P1eO/yyGmr/hjkJSkGat5QUH/T5pvlakIs1aitX5tTehsdB9qafPMsLmw0mYd+z/ 7N0DjIBLyH/eVRgWXCDv6blOhxJQkYePeiYO+lwvHS4bsXD8ip8TKR0qfjFupQTW yAoLcAn4avw= =Smx5 -----END PGP SIGNATURE-----