Oh man you are a super star !!! but why no fix ??? On Mon, Mar 10, 2008 at 11:47 PM, Luigi Auriemma <[EMAIL PROTECTED]> wrote:
> > ####################################################################### > > Luigi Auriemma > > Application: Acronis True Image Group Server > > http://www.acronis.com/enterprise/products/ATIES/group-server.html > Versions: <= 1.5.19.191 > (included in Acronis True Image Enterprise Server > 9.5.0.8072 and the other True Image packages) > Platforms: Windows > Bug: invalid memory access > Exploitation: remote > Date: 08 Mar 2008 > Author: Luigi Auriemma > e-mail: [EMAIL PROTECTED] > web: aluigi.org > > > ####################################################################### > > > 1) Introduction > 2) Bug > 3) The Code > 4) Fix > > > ####################################################################### > > =============== > 1) Introduction > =============== > > > Acronis Group Server is a component of Acronis True Image Echo Server > (Workstation and Enterprise packages) which "allows the viewing and > managing of backup tasks for all systems in the network from the > Acronis Management Console". > > > ####################################################################### > > ====== > 2) Bug > ====== > > > The packets used by this server contain some 16 bit fields which > specify the length of the subsequent data. > The problem is that the memory assigned for each packet is about 2048 > bytes so the server allocates the amount of memory specified by that 16 > bit field and then tries to copy the data from the packet into this new > buffer with the subsequent crash of the service due to an invalid read > access. > > > ####################################################################### > > =========== > 3) The Code > =========== > > > http://aluigi.org/poc/acrogroup.txt > > nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt > > > ####################################################################### > > ====== > 4) Fix > ====== > > > No fix > > > ####################################################################### > > > --- > Luigi Auriemma > http://aluigi.org > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
