|
|
|
|
| |
Credit:
The information has been provided by Pedram Amini, TippingPoint Security Research Team.
The original article can be found at: http://www.tippingpoint.com/security/advisories/TSRT-06-11.html
|
| |
The problem specifically exists within DBASVR.exe, the Backup Agent RPC Server. This service exposes a number of vulnerable RPC routines through a TCP endpoint with ID 88435ee0-861a-11ce-b86b-00001b27f656 on port 6071. The most trivial of the exposed vulnerabilities results in an exploitable stack overflow.
The vulnerable routines include:
/* opcode: 0x01, address: 0x00401A70 */
long sub_401A70 (
[in][string] char * arg_1,
[in][string] char * arg_2, // stack overflow
[out][size_is(8192), length_is(*arg_4)] char * arg_3,
[in, out] long * arg_4
);
/* opcode: 0x02, address: 0x00401CC0*/
long sub_401CC0 (
[in][string] char * arg_1,
[in][string] char * arg_2, // stack overflow
[in][string] char * arg_3,
[out] long * arg_4
);
/* opcode: 0x18, address: 0x004041C0*/
long sub_4041C0 (
[in][string] char * arg_1,
[in][string] char * arg_2, // stack overflow
[out] long * arg_3
);
The first two vulnerable subroutines are the result of inline strcpy()/memcpy()'s. The third vulnerable subroutine is due to an insecure call to lstrcat().
Vendor Response:
Computer Associates has issued an update to correct this vulnerability. More details can be found at: http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
CVE Information:
CVE-2006-5143
Disclosure Timeline:
2006.03.27 - Digital Vaccine released to TippingPoint customers
2006.03.28 - Vulnerability reported to vendor
2006.10.05 - Coordinated public release of advisory
|
|
|
|
|
