Computer Associates BrightStor Hierarchical Storage Manager (HSM) is an application used to create a tiered storage solution for enterprises that require on demand access to large quantities of data. The HSM caches frequently used files on hard drives for fast access, and stores seldom used files on tape. Access to files stored on tape is transparent to the client applications. The CsAgent process (CsAgent.exe) is a component of the HSM suite, and listens on TCP port 2000.
Remote exploitation of multiple buffer overflow vulnerabilities in Computer Associates International Inc.'s (CA) BrightStor HSM allows attackers to execute arbitrary code with SYSTEM privileges.
Vulnerable Systems:
* Computer Associates BrightStor HSM version r11.5.
These problems specifically exist within various command handlers in the CsAgent service. There are eleven command handlers that contain one or more stack based buffer overflow vulnerabilities each. All of these vulnerabilities are simple sprintf() calls that overflow fixed size stack buffers with attacker supplied data.
Additionally, there are five command handlers that are vulnerable to integer overflow vulnerabilities. In addition to this, the function responsible for reading in and dispatching a request to the appropriate handler also contains an integer overflow vulnerability. In each case, a 32-bit integer is taken from the packet and either added or multiplied to determine how much memory to allocate. When these calculations cause an integer wrap, a heap buffer of insufficient size is allocated. Later, a heap overflow occurs when filling the buffer.
Exploitation of these vulnerabilities results in the execution of arbitrary code with SYSTEM privileges. Unsuccessful attempts will crash the service, but it will be restarted by a watchdog process soon thereafter.
In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 2000 with the vulnerable host. No authentication is required.
