CA iTechnology iGateway服务负Content-Length字段值缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196666 漏洞类型 缓冲区溢出
发布时间 2006-01-23 更新时间 2007-06-27
CVE编号 CVE-2005-3653 CNNVD-ID CNNVD-200512-713
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/16354
https://cxsecurity.com/issue/WLB-2006010066
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-713
|漏洞详情
iTechnology是为第三方产品提供标准Web服务接口的集成技术。iTechnology在处理HTTP请求头时存在堆溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。iGateway服务在5250端口监听标准HTTP或SSL通讯。该服务没有正确地处理为负值的HTTPContent-Length字段。iGateway解析HTTP请求的Content-length字段值并直接在malloc()堆分配调用中使用了该值,因此如果提供了负数值的话,堆分配调用就会返回很小的缓冲区。malloc()调用之后,将提供的URImemcpy到所分配的缓冲区就会覆盖到堆。远程攻击者可以发送有很大URI和负值的Content-length字段的请求破坏堆,导致执行任意指令。
|漏洞EXP
Please see below for important changes to CAID 33778.
Changelog is near end of advisory.

Regards,
Ken Williams

Title: CAID 33778 - CA iGateway Content-Length Buffer Overflow 
Vulnerability [v1.1]

CA Vulnerability ID: 33778

CA Advisory Date: 2006-01-23
Updated Advisory [v1.1]: 2006-01-26

Discovered By: Erika Mendoza reported this issue to iDefense.

Impact: Remote attacker can execute arbitrary code with SYSTEM 
privileges.

Summary: The CA iGateway common component, which is included with 
several CA products for UNIX/Linux/Windows platforms, contains a 
buffer overflow vulnerability that can allow arbitrary code to be 
executed remotely with SYSTEM privileges on Windows, and cause 
iGateway component failure on UNIX and Linux platforms.

Mitigating Factors: None.

Severity: CA has given this vulnerability a Medium risk rating.

Affected Technologies: Please note that the iGateway component is
not a product, but rather a common component that is included 
with multiple products.  The iGateway component is included in 
the following CA products, which are consequently potentially 
vulnerable.  Note that iGateway component versions older than 
4.0.051230 are vulnerable to this issue.

Affected Products:

BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup for Windows r11
BrightStor Enterprise Backup 10.5
BrightStor ARCserve Backup v9.01
BrightStor ARCserve Backup Laptop & Desktop r11.1
BrightStor ARCserve Backup Laptop & Desktop r11
BrightStor Process Automation Manager r11.1
BrightStor SAN Manager r11.1
BrightStor SAN Manager r11.5
BrightStor Storage Resource Manager r11.5
BrightStor Storage Resource Manager r11.1
BrightStor Storage Resource Manager 6.4
BrightStor Storage Resource Manager 6.3
BrightStor Portal 11.1

Note to BrightStor Storage Resource Manager and BrightStor Portal
users: In addition to the application servers where these products 
are installed, all hosts that have iSponsors deployed to them for 
managing applications like Veritas Volume Manager and Tivoli TSM 
are also affected by this vulnerability.

eTrust Products:
eTrust Audit 1.5 SP2 (iRecorders and ARIES)
eTrust Audit 1.5 SP3 (iRecorders and ARIES)
eTrust Audit 8.0 (iRecorders and ARIES)
eTrust Admin 8.1
eTrust Identity Minder 8.0
eTrust Secure Content Manager (SCM) R8
eTrust Integrated Threat Management (ITM) R8
eTrust Directory, R8.1 (Web Components Only)

Unicenter Products:
Unicenter CA Web Services Distributed Management R11
Unicenter AutoSys JM R11
Unicenter Management for WebLogic / Management for WebSphere R11
Unicenter Service Delivery R11
Unicenter Service Level Management (USLM) R11
Unicenter Application Performance Monitor R11
Unicenter Service Desk R11
Unicenter Service Desk Knowledge Tools R11
Unicenter Asset Portfolio Management R11
Unicenter Service Metric Analysis R11
Unicenter Service Catalog/Assure/Accounting R11
Unicenter MQ Management R11
Unicenter Application Server Management R11
Unicenter Web Server Management R11
Unicenter Exchange Management R11

Affected platforms:
AIX, HP-UX, Linux Intel, Solaris, and Windows

Status and Recommendation: 
Customers with vulnerable versions of the iGateway component 
should upgrade to the current version of iGateway (4.0.051230 or 
later), which is available for download from the following 
locations:
http://supportconnect.ca.com/
ftp://ftp.ca.com/pub/iTech/downloads/

Determining the version of iGateway:
To determine the version numbers of the iGateway components:

Go to the igateway directory:

On windows, this is %IGW_LOC%
Default path for v3.*: C:Program FilesCAigateway
Default path for v4.*: 
C:Program FilesCASharedComponentsiTechnology

On unix, 
Default path for v3.*: 	/opt/CA/igateway
Default path for v4.*: 	the install directory path is contained in 
opt/CA/SharedComponents/iTechnology.location.
The default path is /opt/CA/SharedComponents/iTechnology

Look at the <Version> element in igateway.conf.

The versions are affected by this vulnerability if you see 
a value LESS THAN the following: 
<Version>4.0.051230</Version>  (note the format of v.s.YYMMDD)

References: 
(note that URLs may wrap)
CA SupportConnect:
http://supportconnect.ca.com/
http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_not

ice.asp

CAID: 33778
CAID Advisory link: 
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778

CVE Reference: CVE-2005-3653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3653

OSVDB Reference: OSVDB-22688
http://osvdb.org/22688

iDefense Reference:
Computer Associates iTechnology iGateway Service Content-Length 
Buffer Overflow
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376

Changelog:
v1.0 - Initial Release
v1.1 - Removed several unaffected technologies; added more 
reference links.

Customers who require additional information should contact CA 
Technical Support at http://supportconnect.ca.com.

For technical questions or comments related to this advisory,
please send email to vuln (at) ca (dot) com [email concealed], or contact me directly.

If you discover a vulnerability in CA products, please report
your findings to vuln (at) ca (dot) com [email concealed], or utilize our "Submit a 
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx

Regards,
Ken Williams ; 0xE2941985
Dir. of CA Vulnerability Research Team

CA, One Computer Associates Plaza. Islandia, NY 11749
	
Contact http://www3.ca.com/contact/
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://www.ca.com/caprivacy.htm
Copyright 2006 CA.  All rights reserved.
|受影响的产品
Computer Associates Unicenter Web Server Management 11.0 Computer Associates Unicenter Service Matrix Analysis 11.0 Computer Associates Unicenter Service Level Management 11.0 Computer Associates Unicente
|参考资料

来源:XF
名称:ca-igateway-contentlength-bo(24269)
链接:http://xforce.iss.net/xforce/xfdb/24269
来源:BID
名称:16354
链接:http://www.securityfocus.com/bid/16354
来源:OSVDB
名称:22688
链接:http://www.osvdb.org/22688
来源:IDEFENSE
名称:20060123ComputerAssociatesiTechnologyiGatewayServiceContent-LengthBufferOverflow
链接:http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376
来源:VUPEN
名称:ADV-2006-0311
链接:http://www.frsirt.com/english/advisories/2006/0311
来源:supportconnectw.ca.com
链接:http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_notice.asp
来源:SECTRACK
名称:1015526
链接:http://securitytracker.com/id?1015526
来源:SECUNIA
名称:18591
链接:http://secunia.com/advisories/18591
来源:www3.ca.com
链接:http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778
来源:BUGTRAQ
名称:20060123CAID33778-CAiGatewayContent-LengthBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/423403/100/0/threaded
来源:BUGTRAQ
名称:20060127CAID33778-CAiGatewayContent-LengthBufferOverflowVulnerability