CA BrightStor ARCServe Backup Discovery服务邮槽远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193241 漏洞类型 缓冲区溢出
发布时间 2006-10-02 更新时间 2006-11-22
CVE编号 CVE-2006-5142 CNNVD-ID CNNVD-200610-162
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/20364
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-162
|漏洞详情
BrightStorARCserveBackup可为各种平台的服务器提供备份和恢复保护功能。BrightStorARCserveBackup的Discovery服务(casdscsvc.exe)在处理TCP/41523端口上所接收到的请求时存在栈溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。当该服务在处理通过名为CheyenneDS的邮槽所接收到的超长消息时,由于在调用CreateMailslot过程中没有提供明确的MaxMessageSize,攻击者可以触发可利用的栈溢出。创建邮槽过程如下:casdscsvc.exe->Asbrdcst.dll20C14E8Cpush0;lpSecurityAttributes20C14E8Epush0;lReadTimeout20C14E90push0;nMaxMessageSize20C14E92pushoffsetName;"\\\\.\\mailslot\\CheyenneDS"20C14E97stosb20C14E98callds:CreateMailslotA20C14E9Ecmpeax,INVALID_HANDLE_VALUE20C14EA1movmailslot_handle,eax请注意没有指定明确的MaxMessageSize。之后从4k的缓冲区读取了邮槽句柄,并且将所读取的数据传送给了使用1k大小缓冲区的vsprintf调用。casdscsvc.exe->Asbrdcst.dll20C15024moveax,mailslot_handle20C15029leaedx,[esp+1044h+Buffer_4k]20C1502Dpushecx;nNumberOfBytesToRead20C1502Epushedx;lpBuffer20C1502Fpusheax;hFile20C15030calledi;ReadFile20C15032testeax,eax20C15034jzshortread_failed20C15036leaecx,[esp+3Dh]20C1503Apushecx;char20C1503Bpushoffsetstr_ReadmailslotS;"ReadMailSlot:%s\n"20C15040callnot_interesting_call_to_vsnprtinf20C150
|受影响的产品
Computer Associates Server Protection Suite r2 Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2 Computer Associates Business Protection Suite for Microsoft SBS Pre ed r2 Computer
|参考资料

来源:MISC
链接:http://www.tippingpoint.com/security/advisories/TSRT-06-12.html
来源:XF
名称:ca-brightstor-discovery-mailslot-bo(29365)
链接:http://xforce.iss.net/xforce/xfdb/29365
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&id=90744
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&id=90744
来源:BUGTRAQ
名称:20061005TSRT-06-12:CABrightStorDiscoveryServiceMailslotBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/447853/100/100/threaded
来源:BUGTRAQ
名称:20061006[CAID34693,34694]:CABrightStorARCserveBackupMultipleBufferOverflowVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/447839/100/100/threaded
来源:VUPEN
名称:ADV-2006-3930
链接:http://www.frsirt.com/english/advisories/2006/3930
来源:supportconnectw.ca.com
链接:http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
来源:SECUNIA
名称:22283
链接:http://