• Home
• Links
• Vulnerabilities
• Legal
• About
• Blog

[Shirkdog Security Advisory SHK-006]

Title:
------
Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)

Description of Application:
---------------------------
http://www3.ca.com/solutions/ProductFamily.aspx?ID=115

Brightstor ARCserv Backup provides a complete, flexible and integrated backup and recovery solution for Windows, NetWare, Linux and UNIX environments.

Vulnerability(PoC):
-------------------
There is an issue with RPC operation 126 and the imported cactirpc.dll and rwxdr.dll. It looks as if Mediasvr.exe identifies a Bad Job Handle as seen in its log file.

Log Message:
asms_manager_job_enumerate_devices_1_svc(): Bad Job Handle.

However, the process dies when trying to send an RPC response for the bad job handle. This is caused be a null memory dereference. Within cactirpc.dll, the xdr_rwpair function is called:

Catirpc.dll:2E008A93 loc_2E008A93:
Catirpc.dll:2E008A93 mov ecx, [esi+10h]
Catirpc.dll:2E008A96 push ecx <- ECX is 0x0041B310 (nulls)
Catirpc.dll:2E008A97 push edi <- EDI is 0x009e2580 (nulls)
Catirpc.dll:2E008A98 call dword ptr [esi+14h] <-points to 0x2d6054f0 (rwxdr.dll:xdr_rwpair)
Catirpc.dll:2E008A9B add esp, 8
Catirpc.dll:2E008A9E pop edi
Catirpc.dll:2E008A9F pop esi
Catirpc.dll:2E008AA0 pop ebx
Catirpc.dll:2E008AA1 retn

rwxdr.dll:xdr_rwpair
.text:2D6054F0 public xdr_rwpair
.text:2D6054F0 xdr_rwpair proc near
.text:2D6054F0
.text:2D6054F0 arg_0= dword ptr 4
.text:2D6054F0 arg_4= dword ptr 8
.text:2D6054F0
.text:2D6054F0 push ebx
.text:2D6054F1 mov ebx, [esp+4+arg_4] <---puts 0x0041B310
.text:2D6054F5 push esi
.text:2D6054F6 push edi
.text:2D6054F7 mov edi, [esp+0Ch+arg_0] <--- puts 0x009e2580
.text:2D6054FB mov esi, [ebx] <---- EBX is 0x00000000
.text:2D6054FD mov eax, [edi] <---- EDI is 0x00000000
.text:2D6054FF test eax, eax
.text:2D605501 jnz short loc_2D605533
.text:2D605503 mov eax, [esi+4] <---- ESI is set to 0x00000000

The following exploit kills the Mediasvr.exe process:

http://www.shirkdog.us/camediasvrdos.py


Impact:
----------
This vulnerability leads to a Denial of Service (DoS).

Risk Level:
--------------
High

Solution:
------------
CA has released a patch for this vulnerability
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

References:
--------------
CVE: CVE-2007-2772
eEye Zero Day ID: EEYEZD-20070516


[Shirkdog Security]
http://www.shirkdog.us/shk-006.html

| Home | Links | Vulnerabilities | Legal | About | Blog |
© Shirkdog.us | XHTML