Related information

CA ARCserve Backup DoS

[Full-disclosure] CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities

[Full-disclosure] [IVIZ-09-004] CA ARCserve Denial of Service

From:	iViZ Security Advisories <advisories_(at)_ivizsecurity.com>
Date:	16.06.2009
Subject:	[Full-disclosure] [IVIZ-09-003] CA ARCserve Denial of Service

-----------------------------------------------------------------------
------
[ iViZ Security Advisory 09-003                            16/06/2009 ]

-----------------------------------------------------------------------
------
iViZ Techno Solutions Pvt. Ltd.

                                           http://www.ivizsecurity.com

-----------------------------------------------------------------------



* Title:     CA ARCserve Denial of Service

* Software:  CA ARCserver Backup r12 SP1



--[ Synopsis:



   CA ARCserve Backup is vulnerable to a Denial of Service

   when a crafted packet is sent to the CA ARCserve Message

   Engine Service.



--[ Affected Software:



 * CA ARCserver Backup r12 SP1

 * Others versions may also be affected



--[ Technical description:



   CA ARCserrve is vulnerable to a Denial of Service when a crafted

   RPC packet is sent to the Message engine service listening at

   6503/TCP port.



   The interface informations are as follows



       [

        uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),

        version(1.0)

       ]



       interface mIDA_interface

       {

       

       /* opcode: 0x13 */

       

       long  (

        [in] long arg_1,

        [in] short arg_2,

        [in][size_is(65536), length_is(65536)] char * arg_3,

        [in] long arg_4,

        [out] long * arg_5

       );



       }



 When a crafted RPC packet with values such as

               arg_1 = 0x1

               arg_4 = 0x1

               arg_3 = { a character array of 65536 }

 will crash the message engine service. The bug exists in

 the ASCORE module and there exists more than one way to

 reach the buggy code.



 Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port

       2123A736   6A 00             PUSH 0                                     <- Pushes 0x0

       2123A738   55                PUSH EBP

       2123A739   E8 F20B0000       CALL ASCORE.2123B330

       2123A73E   8B4C24 10         MOV ECX,DWORD PTR SS:[ESP+10]

       

       #ASCORE.2123B330

       2123B330   51                PUSH ECX

       2123B331   8B4C24 08         MOV ECX,DWORD PTR SS:[ESP+8]       <- Copies
0x0 from stack to ECX

       2123B335   8A81 1E010000     MOV AL,BYTE PTR DS:[ECX+11E]       <- Bug:
Access Violation

       2123B33B   3C 03             CMP AL,3





--[ Impact:



   Denial of Service



--[ Vendor response:



  https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502



--[ Credits:



   This vulnerability was discovered by Nibin Varghese from

   iViZ Security Research Team

   http://www.ivizsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/