Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability 8 Oct. 2006    Summary This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates ARCserver Backup. Authentication is not required exploit this vulnerability and both the client and server are affected.   Credit: The information has been provided by Pedram Amini, TippingPoint Security Research Team. The original article can be found at: http://www.tippingpoint.com/security/advisories/TSRT-06-12.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * BrightStor ARCserver Backup version R11.5 Client  * BrightStor ARCserver Backup version R11.5 Server The problem specifically exists within the handling of long messages received over the Mailslot named 'CheyenneDS'. As no explicit MaxMessageSize is supplied in the call to CreateMailslot, an attacker can cause an exploitable stack-based buffer overflow. The vulnerable Mailslot creation occurs:    casdscsvc.exe -> Asbrdcst.dll    20C14E8C push 0 ; lpSecurityAttributes    20C14E8E push 0 ; lReadTimeout    20C14E90 push 0 ; nMaxMessageSize    20C14E92 push offset Name ; "\\\\.\\mailslot\\CheyenneDS"    20C14E97 stosb    20C14E98 call ds:CreateMailslotA    20C14E9E cmp eax, INVALID_HANDLE_VALUE    20C14EA1 mov mailslot_handle, eax Note there is no explicit MaxMessageSize specified. Later the mailslot handle is read from into a 4k buffer. The read data is also passed to a routine which calls vsprintf into a 1k buffer.    casdscsvc.exe -> Asbrdcst.dll    20C15024 mov eax, mailslot_handle    20C15029 lea edx, [esp+1044h+Buffer_4k]    20C1502D push ecx ; nNumberOfBytesToRead    20C1502E push edx ; lpBuffer    20C1502F push eax ; hFile    20C15030 call edi ; ReadFile    20C15032 test eax, eax    20C15034 jz short read_failed    20C15036 lea ecx, [esp+3Dh]    20C1503A push ecx ; char    20C1503B push offset str_ReadmailslotS ; "ReadMailSlot: %s\n"    20C15040 call not_interesting_call_to_vsnprtinf    20C15045 add esp, 8    20C15048 lea edx, [esp+3Dh]    20C1504C push edx ; va_list    20C1504D push offset str_ReadmailslotS_0 ; "ReadMailSlot: %s"    20C15052 push 0 ; for_debug_log    20C15054 call vsprintf_into_1024_stack_buf_and_debug_log As mentioned in TSRT-06-02, exploitation of this vulnerability is possible due to the ability to exceeding the second-class Mailslot message size limitation. Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp Disclosure Timeline: 2006.03.27 - Digital Vaccine released to TippingPoint customers 2006.04.27 - Vulnerability reported to vendor 2006.10.05 - Coordinated public release of advisory  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability Internet Explorer Select Element Cache Code Execution Vulnerability Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability Microsoft Internet Explorer Protected Mode Bypass Vulnerability Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®