发布日期：2007-06-27
更新日期：2007-10-12

受影响系统：

Computer Associates BrightStor ARCserve Backup r11.1
Computer Associates BrightStor ARCserve Backup R11
Computer Associates BrightStor ARCserve Backup r10.5
Computer Associates BrightStor ARCserve Backup 9.01
Computer Associates BrightStor ARCserve Backup 11.5

描述：

---

BUGTRAQ  ID: 24680
CVE(CAN) ID: CVE-2007-5331

BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。

BrightStor ARCserve Backup的队列服务实现上存在漏洞，远程攻击者可能利用此漏洞控制服务器。

如果向BrightStor的ARCserve Backup消息队列服务LQserver.exe发送了畸形的ONRPC协议请求的话，就会在Queue.dll中触发内存破坏。仅可以通过调用0x0006097d进程ID（LQserver.exe的特定Proc ID）下的0x76（数据队列请求）操作才可以触发这个漏洞。在初始化这个过程后，LQServer.exe就会调用有漏洞的DLL文件Queue.dll，这个过程未经任何验证便处理了用户数据并引用为变量，如下所示：

<lqserver.exe>
100161B0     MOV EDX,DWORD PTR DS:[ECX+4]    ; Move Arbitrary Pointer #2 into EDX
100161B3     PUSH EDX            ; Push Arbitrary Pointer #2 onto the Stack
100161B4     MOV EAX,DWORD PTR SS:[EBP+8]    ; Move (0x0113F8A8 the address to Arbitrary
                        ; Pointer #1) into EAX
100161B7     MOV ECX,DWORD PTR DS:[EAX]    ; Move Arbitrary Pointer #1 into ECX
100161B9     PUSH ECX            ; Push Arbitrary Pointer #1 onto the Stack
100161BA     CALL QUEUE.10012816        ; CALL Vulnerable DLL
...
<queue.dll>
1001281C     CMP DWORD PTR SS:[EBP+8],0    ; EBP + 8 points to Arbitrary Pointer #1  - This makes
                        ; sure our pointer isn't NULL.
10012820     JNZ SHORT QUEUE.10012829    ; Since our pointer isn't NULL we jump
10012829     MOV EAX,DWORD PTR SS:[EBP+8]    ; Load Arbitrary Pointer #1 into EAX
1001282C       MOV DWORD PTR SS:[EBP-4],EAX    ; Write Arbitrary Pointer into EBP-4 (0x00D39618)
1001282F       CMP DWORD PTR DS:[10037884],0    ; This checks for an error message field - NULL
                        ; signifies 'The operation completed successfully'
10012836       JE SHORT QUEUE.10012870        ; Jump is taken
10012870      MOV EAX,DWORD PTR SS:[EBP+C]    ; Move Arbitrary Pointer #2 into EAX
10012873    PUSH EAX            ; Push Arbitrary Pointer #2 onto the stack
10012874       PUSH QUEUE.10037884        ; Push NULL
10012879       MOV ECX,DWORD PTR SS:[EBP-4]    ; Move Arbitrary Pointer #1 into ECX
1001287C       MOV EDX,DWORD PTR DS:[ECX]    ; Move Arbitrary Pointer #1 into EDX
1001287E      MOV ECX,DWORD PTR SS:[EBP-4]    ; Move Arbitrary Pointer #1 into ECX
10012881      CALL DWORD PTR DS:[EDX]        ; Call Arbitrary Pointer #1

这时Queue.dll引用并调用了Arbitrary Pointer #1，然后会调用Arbitrary Pointer #2。在调用Arbitrary Pointer #2后，攻击者就可以完全控制代码的执行并重新定向Queue.dll执行任意代码。攻击完成后，LQserver.exe会崩溃，必须通过CA Domain Server服务手工重启。

<*来源：Greg Linares （glinares.code@gmail.com）
  
  链接：http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp
        http://secunia.com/advisories/23648/
        http://marc.info/?l=bugtraq&m=119213863320172&w=2
        http://marc.info/?l=full-disclosure&m=119698698503622&w=2
        http://research.eeye.com/html/advisories/published/AD20071011.html
*>

建议：

---

厂商补丁：

Computer Associates
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91094
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91097
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91098

浏览次数：2824
严重程度：0（网友投票）