Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22045
HistoryJun 16, 2009 - 12:00 a.m.

[Full-disclosure] [IVIZ-09-003] CA ARCserve Denial of Service

2009-06-1600:00:00
vulners.com
9


[ iViZ Security Advisory 09-003 16/06/2009 ]



iViZ Techno Solutions Pvt. Ltd.

                                        http://www.ivizsecurity.com

  • Title: CA ARCserve Denial of Service

  • Software: CA ARCserver Backup r12 SP1

–[ Synopsis:

CA ARCserve Backup is vulnerable to a Denial of Service

when a crafted packet is sent to the CA ARCserve Message

Engine Service.

–[ Affected Software:

  • CA ARCserver Backup r12 SP1

  • Others versions may also be affected

–[ Technical description:

CA ARCserrve is vulnerable to a Denial of Service when a crafted

RPC packet is sent to the Message engine service listening at

6503/TCP port.



The interface informations are as follows



    [

     uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),

     version(1.0)

    ]



    interface mIDA_interface

    {

    

    /* opcode: 0x13 */

    

    long  (

     [in] long arg_1,

     [in] short arg_2,

     [in][size_is(65536), length_is(65536)] char * arg_3,

     [in] long arg_4,

     [out] long * arg_5

    );



    }

When a crafted RPC packet with values such as

            arg_1 = 0x1

            arg_4 = 0x1

            arg_3 = { a character array of 65536 }

will crash the message engine service. The bug exists in

the ASCORE module and there exists more than one way to

reach the buggy code.

Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port

    2123A736   6A 00             PUSH 0                                     <- Pushes 0x0

    2123A738   55                PUSH EBP

    2123A739   E8 F20B0000       CALL ASCORE.2123B330

    2123A73E   8B4C24 10         MOV ECX,DWORD PTR SS:[ESP+10]

    

    #ASCORE.2123B330

    2123B330   51                PUSH ECX

    2123B331   8B4C24 08         MOV ECX,DWORD PTR SS:[ESP+8]       <- Copies

0x0 from stack to ECX

    2123B335   8A81 1E010000     MOV AL,BYTE PTR DS:[ECX+11E]       <- Bug:

Access Violation

    2123B33B   3C 03             CMP AL,3

–[ Impact:

Denial of Service

–[ Vendor response:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502

–[ Credits:

This vulnerability was discovered by Nibin Varghese from

iViZ Security Research Team

http://www.ivizsecurity.com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/