eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Research Archives > Security Advisories > AD20070920

Multiple Vulnerabilities in CA ARCserve for Laptops and Desktops

Release Date:
9/20/2007 12:00:00 AM

Date Reported:
6/5/2007 12:00:00 AM

Severity:
High

Vendor:
Computer Associates (CA)

Affected Software:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1
CA ARCserve Backup for Laptops and Desktops r11.1
CA ARCserve Backup for Laptops and Desktops r11.0
CA ARCserve Backup for Laptops and Desktops r4.0
CA Desktop Management Suite 11.2
CA Desktop Management Suite 11.1
CA Desktop Management Suite 11.0
CA Protection Suites r2

Overview:
eEye Digital Security has discovered multiple vulnerabilities within CA ARCserve for Laptops & Desktops (L&D), an enterprise-level backup software suite designed for workstations. The vulnerabilities can be utilized by an attacker to execute arbitrary code on a remote system anonymously over TCP/1900.

Technical Details:
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D servers. An example of sample benign traffic follows: 


      0000000027rxrLogin~~administrator
---------------------------------------------
    Field 1: 10-digit base10 command length field ("0000000027")
    Field 2: RPC command ("rxrLogin")
    Field 3: Constant Argument Delimiter ("~~")
    Field 4: Argument ("administrator")


Vulnerability #1: Authentication Username Overflow
A stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication packet resembles the following: 

    0000000013rxrLogin~~administrator

The single argument ("administrator") is copied into a buffer size of 0x1AC on the stack using wsprintfW, however no string length checks are performed. By sending an overly long username as part of the first authentication request, an exploitable condition is reached.


Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a password resembles the following: 

    1: 0000000030rxrLogin~~administrator~~0000200
    2: MyPasswordIs1234

The second argument of the first rxrLogin request defines the length of the password that will be sent in the following request. Although this does verify that the length of the password string in the second request is the correct length, there is no bounds checking on the potential length of a password. If a long password length is specified, along with a long password delivered in the second request, the long password will overflow a stack-based buffer used for the destination of the password string, causing an exploitable condition.


Vulnerability #3: Authentication Password Integer Overflow
Another stack-based overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a useless password resembles the following: 

    1: 0000000030rxrLogin~~administrator~~18
    2: 000000000000000000

The encrypted password is virtually useless as a password. However, surprisingly, it does offer access to an exploitable condition: 

    .text: 00231F24        mov    cl, [esi+8]
    .text: 00231F27        and    ecx, 0x0F
    .text: 00231F2A        add    esp, 8
    .text: 00231F2D        dec    ecx    ; XXXX Integer Overflow If ECX = 0
    .text: 00231F2E        mov    [esp+0x7C+var_6C], eax
    .text: 00231F32        mov    dwPasswordCopyLength, ecx
    .text: 00231F38        mov    eax, ecx
    .text: 00231F3A        lea    esi, [esp+0x7C+var_6C]
    .text: 00231F3E        mov    edi, ebx
    .text: 00231F40        shr    ecx, 2
    .text: 00231F43        rep movs     ; XXXX EXCEPTION: HITS PAGE BOUNDARY XXXX

The data in the source buffer contains a lot of uncontrollable data. However, a copy of the username also exists within the source buffer, so this can be utilized to overwrite the exception handler if a long username is specified in the original packet.


Vulnerability #4: Arbitrary File Upload
An arbitrary file upload vulnerability exists within unauthenticated communication with rxRPC.dll, accessible via TCP/1900. A sample file upload request resembles the following: 

    1: 0000000056rxrReceiveFileFromServer~~8~~test1234.txt~~4~~3675727989
    2: 0000000031~~<file_contents>

The first parameter of the request specifies the sub-command of rxrReceiveFileFromServer. The number "8" specifies that a file will be uploaded to the ARCserve L&D installation directory. The second argument specifies the file destination name. The third argument specifies the length of the destination file. The fifth argument specifies the CRC32 hash of the incoming file.

rxRPC.dll however does not protect against directory traversals via sub-function "8". So, by using "..\" within the filename, an arbitrary file can be written to an arbitrary directory using SYSTEM-level privileges. To foster immediate exploitability, ARCserve L&D's "security.dll" can be overwritten using this "functionality", and can then be immediately loaded into memory by calling another rxrLogin request, which would now inject the potentially-malicious "security.dll" into the ARCserve L&D process.


Vulnerability #5: 8 Similar Buffer Overflows
Buffer overflow vulnerabilities exist within 8 other functions accessible remotely via TCP/1900. For brevity's sake, exploitable samples follow: 

    rxsUseLicenseIni~~<overflow>
    rxsLicGetSiteId~~<overflow>
    rxsGetLogFileNames~~<overflow>~~40000
    rxsGetBackupLog~~aa~~<overflow>~~40000
    rxsBackupComplete~~aa~~aa~~aa~~<overflow>~~aa
    rxsSetDataGrowthScheduleAndFilter~~aa~~aa~~aa~~aa~~<overflow>
    rxsSetDefaultConfigName~~<overflow>
    rxrSetMessageLogSettings~~65~~45~~79~~65~~<overflow>~~52~65~73~65~61~72~63~68~21



The only form of mitigation for these vulnerabilities is to disable TCP/1900 at the host-level, or to uninstall ARCserve L&D server installations.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability.

Vendor Status:
Computer Associates released patches for these vulnerabilities. These patches are available here:
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp.

Credit:
Matt Oh, Andre Derek Protas, Yuji Ukai

Greetings:
Matt: Bugtruck subscribers Andre: GLin, Maif, SuperSoederBros, TheClaw, TheBear, DragonKick, Hugo’s Drawers, Moti, Rolf, and the many eEye Ninjas Past ^ Present Keeping It Real Yuji: fourteenforty.jp

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2012 eEye Digital Security. All rights reserved.