• Home
• Links
• BSD
• Vulnerabilities
• Legal
• About
• Blog

[Shirkdog Security Advisory SHK-005]

Title:
------
Computer Associates (CA) Brightstor Backup caloggderd.exe DoS (camt70.dll)

Description of Application:
---------------------------
http://www3.ca.com/solutions/ProductFamily.aspx?ID=115

Brightstor ARCserv Backup provides a complete, flexible and integrated backup and recovery solution for Windows, NetWare, Linux and UNIX environments.

Vulnerability(PoC):
-------------------
There is an issue in camt70.dll when caloggerd is processing a hostname for a login operation. When processing the string, if a null is passed in as an argument, it will be loaded into ESI and then loaded into EDI in which the string processing will read a null memory location.

.text:0032ADD0 push ecx
.text:0032ADD1 mov eax, [esp+4+arg_4]
.text:0032ADD5 push esi
.text:0032ADD6 mov esi, [esp+8+arg_8] <--null gets loaded
.text:0032ADDA push edi
.text:0032ADDB mov edx, [eax]
.text:0032ADDD mov edi, esi <-- EDI gets set to nulls
.text:0032ADDF or ecx, 0FFFFFFFFh
.text:0032ADE2 xor eax, eax
.text:0032ADE4 repne scasb

The following exploit will kill the caloggerd.exe process:

http://www.shirkdog.us/caloggerd.py


Impact:
----------
This vulnerability leads to Denial of Service (DoS).

Risk Level:
--------------
High

Solution:
------------
CA has released a patch for this vulnerability
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

References:
--------------
CVE: CVE-2007-2772
eEye Zero Day ID: EEYEZD-20070516


[Shirkdog Security]
http://www.shirkdog.us/shk-005.html

| Home | Links | BSD | Vulnerabilities | Legal | About | Blog |
© Shirkdog.us | XHTML