Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops

Release Date:
September 20, 2007

Date Reported:
June 5, 2007

Severity:
High (Remote Code Execution)

Vendor:
Computer Associates (CA)

Systems Affected:
CA ARCserve Backup for Laptops and Desktops r11.5
CA ARCserve Backup for Laptops and Desktops r11.1 SP2
CA ARCserve Backup for Laptops and Desktops r11.1 SP1 
CA ARCserve Backup for Laptops and Desktops r11.1 
CA ARCserve Backup for Laptops and Desktops r11.0 
CA ARCserve Backup for Laptops and Desktops r4.0 
CA Desktop Management Suite 11.2 
CA Desktop Management Suite 11.1 
CA Desktop Management Suite 11.0 
CA Protection Suites r2

Overview:
eEye Digital Security has discovered multiple vulnerabilities within CA
ARCserve for Laptops & Desktops (L&D), an enterprise-level backup
software suite designed for workstations.  The vulnerabilities can be
utilized by an attacker to execute arbitrary code on a remote system
anonymously over TCP/1900.


Technical Details:
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D
servers.  An example of sample benign traffic follows:

     0000000027rxrLogin~~administrator
---------------------------------------------
    Field 1: 10-digit base10 command length field ("0000000027")
    Field 2: RPC command ("rxrLogin")
    Field 3: Constant Argument Delimiter ("~~")
    Field 4: Argument ("administrator")

Vulnerability #1: Authentication Username Overflow
A stack-based buffer overflow exists within the authentication portion
of rxRPC.dll which is accessible via TCP/1900.  A sample legitimate
authentication packet resembles the following:

    0000000013rxrLogin~~administrator

The single argument ("administrator") is copied into a buffer size of
0x1AC on the stack using wsprintfW, however no string length checks are
performed.  By sending an overly long username as part of the first
authentication request, an exploitable condition is reached.


Vulnerability 2: Authentication Password Overflow
Another stack-based buffer overflow exists within the authentication
portion of rxRPC.dll which is accessible via TCP/1900.  A sample
legitimate authentication request with a password resembles the
following:

    1: 0000000030rxrLogin~~administrator~~0000200
    2: MyPasswordIs1234

The second argument of the first rxrLogin request defines the length of
the password that will be sent in the following request.  Although this
does verify that the length of the password string in the second request
is the correct length, there is no bounds checking on the potential
length of a password.  If a long password length is specified, along
with a long password delivered in the second request, the long password
will overflow a stack-based buffer used for the destination of the
password string, causing an exploitable condition.


Vulnerability #3: Authentication Password Integer Overflow
Another stack-based overflow exists within the authentication portion of
rxRPC.dll which is accessible via TCP/1900.  A sample legitimate
authentication request with a useless password resembles the following:

    1: 0000000030rxrLogin~~administrator~~18
    2: 000000000000000000

The encrypted password is virtually useless as a password.  However,
surprisingly, it does offer access to an exploitable condition:

    .text: 00231F24        mov    cl, [esi+8]
    .text: 00231F27        and    ecx, 0x0F
    .text: 00231F2A        add    esp, 8
    .text: 00231F2D        dec    ecx    ; XXXX Integer Overflow If ECX
= 0
    .text: 00231F2E        mov    [esp+0x7C+var_6C], eax
    .text: 00231F32        mov    dwPasswordCopyLength, ecx
    .text: 00231F38        mov    eax, ecx
    .text: 00231F3A        lea    esi, [esp+0x7C+var_6C]
    .text: 00231F3E        mov    edi, ebx
    .text: 00231F40        shr    ecx, 2
    .text: 00231F43        rep movs     ; XXXX EXCEPTION: HITS PAGE
BOUNDARY XXXX

The data in the source buffer contains a lot of uncontrollable data.
However, a copy of the username also exists within the source buffer, so
this can be utilized to overwrite the exception handler if a long
username is specified in the original packet.


Vulnerability #4: Arbitrary File Upload
An arbitrary file upload vulnerability exists within unauthenticated
communication with rxRPC.dll, accessible via TCP/1900.  A sample file
upload request resembles the following:

    1:
0000000056rxrReceiveFileFromServer~~8~~test1234.txt~~4~~3675727989
    2: 0000000031~~<file_contents>

The first parameter of the request specifies the sub-command of
rxrReceiveFileFromServer.  The number "8" specifies that a file will be
uploaded to the ARCserve L&D installation directory.  The second
argument specifies the file destination name.  The third argument
specifies the length of the destination file.  The fifth argument
specifies the CRC32 hash of the incoming file.

rxRPC.dll however does not protect against directory traversals via
sub-function "8".  So, by using "..\" within the filename, an arbitrary
file can be written to an arbitrary directory using SYSTEM-level
privileges.  To foster immediate exploitability, ARCserve L&D's
"security.dll" can be overwritten using this "functionality", and can
then be immediately loaded into memory by calling another rxrLogin
request, which would now inject the potentially-malicious "security.dll"
into the ARCserve L&D process.


Vulnerability #5: 8 Similar Buffer Overflows
Buffer overflow vulnerabilities exist within 8 other functions
accessible remotely via TCP/1900.  For brevity's sake, exploitable
samples follow:

    rxsUseLicenseIni~~<overflow>
    rxsLicGetSiteId~~<overflow>
    rxsGetLogFileNames~~<overflow>~~40000
    rxsGetBackupLog~~aa~~<overflow>~~40000
    rxsBackupComplete~~aa~~aa~~aa~~<overflow>~~aa
    rxsSetDataGrowthScheduleAndFilter~~aa~~aa~~aa~~aa~~<overflow>
    rxsSetDefaultConfigName~~<overflow>
 
rxrSetMessageLogSettings~~65~~45~~79~~65~~<overflow>~~52~65~73~65~61~72~
63~68~21


The only form of mitigation for these vulnerabilities is to disable
TCP/1900 at the host-level, or to uninstall ARCserve L&D server
installations.


Protection:
Blink - Unified Client Security has proactively protected from these
vulnerabilities since their discovery.
Retina - Network Security Scanner has been updated to identify these
vulnerabilities.

Vendor Status:
Computer Associates released patches for these vulnerabilities.  These
patches are available here:
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcserveb
ld-securitynotice.asp.

Credit:
Matt Oh, Andre Derek Protas, Yuji Ukai

Related Links:
Preview - Advanced Security Intelligence - http://www.eeye.com/preview
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Matt: Bugtruck subscribers
Andre: GLin, Maif, SuperSoederBros, TheClaw, TheBear, DragonKick, Hugo's
Drawers, Moti, Rolf, and the many eEye Ninjas Past ^ Present Keeping It
Real
Yuji: fourteenfourty.jp

Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of eEye.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.