[Full-disclosure] [IVIZ-09-003] CA ARCserve Denial of Service

iViZ Security Advisories Tue, 16 Jun 2009 04:34:57 -0700

-----------------------------------------------------------------------
------
[ iViZ Security Advisory 09-003                            16/06/2009 ]


-----------------------------------------------------------------------
------
iViZ Techno Solutions Pvt. Ltd.

                                            http://www.ivizsecurity.com

-----------------------------------------------------------------------



* Title:     CA ARCserve Denial of Service

* Software:  CA ARCserver Backup r12 SP1



--[ Synopsis:



    CA ARCserve Backup is vulnerable to a Denial of Service

    when a crafted packet is sent to the CA ARCserve Message

    Engine Service.



--[ Affected Software:



  * CA ARCserver Backup r12 SP1

  * Others versions may also be affected



--[ Technical description:



    CA ARCserrve is vulnerable to a Denial of Service when a crafted

    RPC packet is sent to the Message engine service listening at

    6503/TCP port.



    The interface informations are as follows



        [

         uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),

         version(1.0)

        ]



        interface mIDA_interface

        {

        

        /* opcode: 0x13 */

        

        long  (

         [in] long arg_1,

         [in] short arg_2,

         [in][size_is(65536), length_is(65536)] char * arg_3,

         [in] long arg_4,

         [out] long * arg_5

        );



        }



  When a crafted RPC packet with values such as

                arg_1 = 0x1

                arg_4 = 0x1

                arg_3 = { a character array of 65536 }

  will crash the message engine service. The bug exists in

  the ASCORE module and there exists more than one way to

  reach the buggy code.



  Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port

        2123A736   6A 00             PUSH 0                                     
<- Pushes 0x0

        2123A738   55                PUSH EBP

        2123A739   E8 F20B0000       CALL ASCORE.2123B330

        2123A73E   8B4C24 10         MOV ECX,DWORD PTR SS:[ESP+10]

        

        #ASCORE.2123B330

        2123B330   51                PUSH ECX

        2123B331   8B4C24 08         MOV ECX,DWORD PTR SS:[ESP+8]       <- 
Copies
0x0 from stack to ECX

        2123B335   8A81 1E010000     MOV AL,BYTE PTR DS:[ECX+11E]       <- Bug:
Access Violation

        2123B33B   3C 03             CMP AL,3





--[ Impact:



    Denial of Service



--[ Vendor response:



   https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502



--[ Credits:



    This vulnerability was discovered by Nibin Varghese from

    iViZ Security Research Team

    http://www.ivizsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [IVIZ-09-003] CA ARCserve Denial of Service

Reply via email to