安全研究
安全漏洞
CA BrightStor ARCServe BackUp Tape Engine服务远程代码执行漏洞
发布日期:2007-01-11
更新日期:2007-01-15
受影响系统:
Computer Associates BrightStor ARCserve Backup描述:
Computer Associates BrightStor Enterprise Backup 10.5
BUGTRAQ ID: 22010
CVE(CAN) ID: CVE-2007-0168
BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
BrightStor ARCserve Backup在处理TCP/6502端口上请求时存在漏洞,远程攻击者可能利用此漏洞控制服务器。
默认监听于TCP 6502端口的BrightStor ARCserve Backup的Tape Engine服务(tapeeng.exe)没有正确的处理RPC请求。在62b93df0-8b02-11ce-876c-00805f842837接口上Opnum 191指定了有漏洞的操作,允许通过控制栈上的变量重新定向代码,然后在以下调用中滥用了该变量:
00264DFE CALL DWORD PTR DS:[EAX+C] ;EAX is controllable.
成功利用这个漏洞的攻击者可以在有漏洞的系统上执行任意代码。
<*来源:LSsecurity
链接:http://secunia.com/advisories/23648/
http://www.zerodayinitiative.com/advisories/ZDI-07-002.html
http://www.lssec.com/advisories/LS-20061002.pdf
http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
STACK before REP instruction
01C9FA2C 01C9FB84
01C9FA30 00000000 VAR
01C9FA34 02860286
01C9FA38 00000002
01C9FA3C 01C9FAD0
01C9FA40 /01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
RPCRT4
77D36CD9 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ;Our address is stored in VAR
...
77D36CE3 MOV EAX,DWORD PTR SS:[EBP+8] ;TAPEEN_1.002A2E60
77D36CE6 CALL EAX
STACK after REP instruction
01C9FA2C 0014DB88
01C9FA30 00172CDC Our address
01C9FA34 02860286
01C9FA38 00000002
01C9FA3C 01C9FAD0
01C9FA40 /01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
TAPEEN_1
002A2E60 MOV EAX,DWORD PTR SS:[ESP+8] ;Our address
002A2E64 PUSH EAX
002A2E65 CALL TAPEEN_1.00264DB0
STACK after CALL TAPEEN_1.00264DB0
01C9FA1C /01C9FA40 EBP
01C9FA20 |002A2E6A RETURN to TAPEEN_1.002A2E6A from TAPEEN_1.00264DB0
01C9FA24 |00172CDC PUSHED EAX
01C9FA28 |77D36CE8 RETURN to RPCRT4.77D36CE8
01C9FA2C |0014DB88
01C9FA30 |00172CDC Our address
01C9FA34 |02860286
01C9FA38 |00000002
01C9FA3C |01C9FAD0
01C9FA40 ]01C9FD48 EBP
01C9FA44 |77D96065 RETURN to RPCRT4.77D96065 from RPCRT4.77D36CB8
01C9FA48 |002A2E60 TAPEEN_1.002A2E60
TAPEEN_1
00264DB0 PUSH EBP
00264DB1 MOV EBP,ESP
...
00264DF1 MOV ESI,DWORD PTR SS:[EBP+8] ;Our address is stored in ESI
00264DF4 MOV EAX,DWORD PTR DS:[ESI+334] ;The data referenced by ESI+334 is moved to EAX
00264DFA MOV ECX,DWORD PTR DS:[EAX+18]
00264DFD PUSH ECX
00264DFE CALL DWORD PTR DS:[EAX+C] ;The data referenced by EAX+C is called
建议:
厂商补丁:
Computer Associates
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO84985
https://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO84986
浏览次数:3146
严重程度:0(网友投票)
绿盟科技给您安全的保障