漏洞信息详情
CA BrightStor ARCserve Backup 代码注入漏洞
- CNNVD编号:CNNVD-200710-264
- 危害等级: 超危
- CVE编号: CVE-2007-5331
- 漏洞类型: 代码注入
- 发布时间: 2007-06-27
- 威胁类型: 远程
- 更新时间: 2021-04-08
- 厂 商: ca
- 漏洞来源: Greg Linares※ glin...
漏洞简介
BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。
BrightStor ARCserve Backup的队列服务实现上存在漏洞,远程攻击者可能利用此漏洞控制服务器。
如果向BrightStor的ARCserve Backup消息队列服务LQserver.exe发送了畸形的ONRPC协议请求的话,就会在Queue.dll中触发内存破坏。仅可以通过调用0x0006097d进程ID(LQserver.exe的特定Proc ID)下的0x76(数据队列请求)操作才可以触发这个漏洞。在初始化这个过程后,LQServer.exe就会调用有漏洞的DLL文件Queue.dll,这个过程未经任何验证便处理了用户数据并引用为变量,如下所示:
<lqserver.exe>
100161B0 MOV EDX,DWORD PTR DS:[ECX+4] ; Move Arbitrary Pointer #2 into EDX
100161B3 PUSH EDX ; Push Arbitrary Pointer #2 onto the Stack
100161B4 MOV EAX,DWORD PTR SS:[EBP+8] ; Move (0x0113F8A8 the address to Arbitrary
; Pointer #1) into EAX
100161B7 MOV ECX,DWORD PTR DS:[EAX] ; Move Arbitrary Pointer #1 into ECX
100161B9 PUSH ECX ; Push Arbitrary Pointer #1 onto the Stack
100161BA CALL QUEUE.10012816 ; CALL Vulnerable DLL
...
<queue.dll>
1001281C CMP DWORD PTR SS:[EBP+8],0 ; EBP + 8 points to Arbitrary Pointer #1 - This makes
; sure our pointer isn t NULL.
10012820 JNZ SHORT QUEUE.10012829 ; Since our pointer isn t NULL we jump
10012829 MOV EAX,DWORD PTR SS:[EBP+8] ; Load Arbitrary Pointer #1 into EAX
1001282C MOV DWORD PTR SS:[EBP-4],EAX ; Write Arbitrary Pointer into EBP-4 (0x00D39618)
1001282F CMP DWORD PTR DS:[10037884],0 ; This checks for an error message field - NULL
; signifies The operation completed successfully
10012836 JE SHORT QUEUE.10012870 ; Jump is taken
10012870 MOV EAX,DWORD PTR SS:[EBP+C] ; Move Arbitrary Pointer #2 into EAX
10012873 PUSH EAX ; Push Arbitrary Pointer #2 onto the stack
10012874 PUSH QUEUE.10037884 ; Push NULL
10012879 MOV ECX,DWORD PTR SS:[EBP-4] ; Move Arbitrary Pointer #1 into ECX
1001287C MOV EDX,DWORD PTR DS:[ECX] ; Move Arbitrary Pointer #1 into EDX
1001287E MOV ECX,DWORD PTR SS:[EBP-4] ; Move Arbitrary Pointer #1 into ECX
10012881 CALL DWORD PTR DS:[EDX] ; Call Arbitrary Pointer #1
这时Queue.dll引用并调用了Arbitrary Pointer #1,然后会调用Arbitrary Pointer #2。在调用Arbitrary Pointer #2后,攻击者就可以完全控制代码的执行并重新定向Queue.dll执行任意代码。攻击完成后,LQserver.exe会崩溃,必须通过CA Domain Server服务手工重启。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91094
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91097
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO91098
参考网址
来源:SECUNIA
链接:http://secunia.com/advisories/27192
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/482114/100/0/threaded
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/482121/100/0/threaded
来源:EEYE
链接:http://research.eeye.com/HTML/advisories/published/AD20071011.HTML
来源:CONFIRM
链接:http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp
来源:BID
链接:https://www.securityfocus.com/bid/24680
来源:VUPEN
链接:http://www.vupen.com/english/advisories/2007/3470
来源:XF
链接:https://exchange.xforce.ibmcloud.com/vulnerabilities/37071
来源:OSVDB
链接:http://osvdb.org/41371
来源:SECTRACK
链接:http://www.securitytracker.com/id?1018805
受影响实体
- Ca Server_protection_suite:2
- Ca Business_protection_suite:2.0:Microsoft_small_business_server_standard
- Ca Business_protection_suite:2.0:Microsoft_small_business_server_premium
- Ca Business_protection_suite:2.0
- Ca Brightstor_enterprise_backup:10.5
补丁
- CA BrightStor ARCserve Backup 代码注入漏洞的修复措施
评论