Research Archives > Security Advisories > AD20070920
Multiple Vulnerabilities in CA ARCserve for Laptops and Desktops
9/20/2007 12:00:00 AM
6/5/2007 12:00:00 AM
Computer Associates (CA)
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA ARCserve Backup for Laptops and Desktops r4.0
CA Desktop Management Suite 11.2
CA Desktop Management Suite 11.1
CA Desktop Management Suite 11.0
CA Protection Suites r2
eEye Digital Security has discovered multiple vulnerabilities within CA ARCserve for Laptops & Desktops (L&D), an enterprise-level backup software suite designed for workstations. The vulnerabilities can be utilized by an attacker to execute arbitrary code on a remote system anonymously over TCP/1900.
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D servers. An example of sample benign traffic follows:
Field 1: 10-digit base10 command length field ("0000000027")
Field 2: RPC command ("rxrLogin")
Field 3: Constant Argument Delimiter ("~~")
Field 4: Argument ("administrator")
Vulnerability #1: Authentication Username Overflow
A stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication packet resembles the following:
The single argument ("administrator") is copied into a buffer size of 0x1AC on the stack using wsprintfW, however no string length checks are performed. By sending an overly long username as part of the first authentication request, an exploitable condition is reached.
Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a password resembles the following:
The second argument of the first rxrLogin request defines the length of the password that will be sent in the following request. Although this does verify that the length of the password string in the second request is the correct length, there is no bounds checking on the potential length of a password. If a long password length is specified, along with a long password delivered in the second request, the long password will overflow a stack-based buffer used for the destination of the password string, causing an exploitable condition.
Vulnerability #3: Authentication Password Integer Overflow
Another stack-based overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a useless password resembles the following:
The encrypted password is virtually useless as a password. However, surprisingly, it does offer access to an exploitable condition:
.text: 00231F24 mov cl, [esi+8]
.text: 00231F27 and ecx, 0x0F
.text: 00231F2A add esp, 8
.text: 00231F2D dec ecx ; XXXX Integer Overflow If ECX = 0
.text: 00231F2E mov [esp+0x7C+var_6C], eax
.text: 00231F32 mov dwPasswordCopyLength, ecx
.text: 00231F38 mov eax, ecx
.text: 00231F3A lea esi, [esp+0x7C+var_6C]
.text: 00231F3E mov edi, ebx
.text: 00231F40 shr ecx, 2
.text: 00231F43 rep movs ; XXXX EXCEPTION: HITS PAGE BOUNDARY XXXX
The data in the source buffer contains a lot of uncontrollable data. However, a copy of the username also exists within the source buffer, so this can be utilized to overwrite the exception handler if a long username is specified in the original packet.
Vulnerability #4: Arbitrary File Upload
An arbitrary file upload vulnerability exists within unauthenticated communication with rxRPC.dll, accessible via TCP/1900. A sample file upload request resembles the following:
The first parameter of the request specifies the sub-command of rxrReceiveFileFromServer. The number "8" specifies that a file will be uploaded to the ARCserve L&D installation directory. The second argument specifies the file destination name. The third argument specifies the length of the destination file. The fifth argument specifies the CRC32 hash of the incoming file.
rxRPC.dll however does not protect against directory traversals via sub-function "8". So, by using "..\" within the filename, an arbitrary file can be written to an arbitrary directory using SYSTEM-level privileges. To foster immediate exploitability, ARCserve L&D's "security.dll" can be overwritten using this "functionality", and can then be immediately loaded into memory by calling another rxrLogin request, which would now inject the potentially-malicious "security.dll" into the ARCserve L&D process.
Vulnerability #5: 8 Similar Buffer Overflows
Buffer overflow vulnerabilities exist within 8 other functions accessible remotely via TCP/1900. For brevity's sake, exploitable samples follow:
The only form of mitigation for these vulnerabilities is to disable TCP/1900 at the host-level, or to uninstall ARCserve L&D server installations.
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability.
Computer Associates released patches for these vulnerabilities. These patches are available here:
Matt Oh, Andre Derek Protas, Yuji Ukai
Matt: Bugtruck subscribers
Andre: GLin, Maif, SuperSoederBros, TheClaw, TheBear, DragonKick, Hugo’s Drawers, Moti, Rolf, and the many eEye Ninjas Past ^ Present Keeping It Real
Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.