|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=601
|
| |
Vulnerable Systems:
* Computer Associates BrightStor HSM version r11.5.
These problems specifically exist within various command handlers in the CsAgent service. There are eleven command handlers that contain one or more stack based buffer overflow vulnerabilities each. All of these vulnerabilities are simple sprintf() calls that overflow fixed size stack buffers with attacker supplied data.
Additionally, there are five command handlers that are vulnerable to integer overflow vulnerabilities. In addition to this, the function responsible for reading in and dispatching a request to the appropriate handler also contains an integer overflow vulnerability. In each case, a 32-bit integer is taken from the packet and either added or multiplied to determine how much memory to allocate. When these calculations cause an integer wrap, a heap buffer of insufficient size is allocated. Later, a heap overflow occurs when filling the buffer.
Exploitation of these vulnerabilities results in the execution of arbitrary code with SYSTEM privileges. Unsuccessful attempts will crash the service, but it will be restarted by a watchdog process soon thereafter.
In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 2000 with the vulnerable host. No authentication is required.
Vendor Status:
Computer Associates has addressed these vulnerabilities with the release of version r11.6. For more information, consult CA's security notice at the following URL.
http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp
CVE Information:
CVE-2007-5082
CVE-2007-5083
Disclosure Timeline:
* 04/13/2007 Initial vendor notification
* 04/13/2007 Initial vendor response
* 09/27/2007 Coordinated public disclosure
|
|
|
|
|
