Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops Release Date: September 20, 2007 Date Reported: June 5, 2007 Severity: High (Remote Code Execution) Vendor: Computer Associates (CA) Systems Affected: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA ARCserve Backup for Laptops and Desktops r4.0 CA Desktop Management Suite 11.2 CA Desktop Management Suite 11.1 CA Desktop Management Suite 11.0 CA Protection Suites r2 Overview: eEye Digital Security has discovered multiple vulnerabilities within CA ARCserve for Laptops & Desktops (L&D), an enterprise-level backup software suite designed for workstations. The vulnerabilities can be utilized by an attacker to execute arbitrary code on a remote system anonymously over TCP/1900. Technical Details: ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D servers. An example of sample benign traffic follows: 0000000027rxrLogin~~administrator --------------------------------------------- Field 1: 10-digit base10 command length field ("0000000027") Field 2: RPC command ("rxrLogin") Field 3: Constant Argument Delimiter ("~~") Field 4: Argument ("administrator") Vulnerability #1: Authentication Username Overflow A stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication packet resembles the following: 0000000013rxrLogin~~administrator The single argument ("administrator") is copied into a buffer size of 0x1AC on the stack using wsprintfW, however no string length checks are performed. By sending an overly long username as part of the first authentication request, an exploitable condition is reached. Vulnerability 2: Authentication Password Overflow Another stack-based buffer overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a password resembles the following: 1: 0000000030rxrLogin~~administrator~~0000200 2: MyPasswordIs1234 The second argument of the first rxrLogin request defines the length of the password that will be sent in the following request. Although this does verify that the length of the password string in the second request is the correct length, there is no bounds checking on the potential length of a password. If a long password length is specified, along with a long password delivered in the second request, the long password will overflow a stack-based buffer used for the destination of the password string, causing an exploitable condition. Vulnerability #3: Authentication Password Integer Overflow Another stack-based overflow exists within the authentication portion of rxRPC.dll which is accessible via TCP/1900. A sample legitimate authentication request with a useless password resembles the following: 1: 0000000030rxrLogin~~administrator~~18 2: 000000000000000000 The encrypted password is virtually useless as a password. However, surprisingly, it does offer access to an exploitable condition: .text: 00231F24 mov cl, [esi+8] .text: 00231F27 and ecx, 0x0F .text: 00231F2A add esp, 8 .text: 00231F2D dec ecx ; XXXX Integer Overflow If ECX = 0 .text: 00231F2E mov [esp+0x7C+var_6C], eax .text: 00231F32 mov dwPasswordCopyLength, ecx .text: 00231F38 mov eax, ecx .text: 00231F3A lea esi, [esp+0x7C+var_6C] .text: 00231F3E mov edi, ebx .text: 00231F40 shr ecx, 2 .text: 00231F43 rep movs ; XXXX EXCEPTION: HITS PAGE BOUNDARY XXXX The data in the source buffer contains a lot of uncontrollable data. However, a copy of the username also exists within the source buffer, so this can be utilized to overwrite the exception handler if a long username is specified in the original packet. Vulnerability #4: Arbitrary File Upload An arbitrary file upload vulnerability exists within unauthenticated communication with rxRPC.dll, accessible via TCP/1900. A sample file upload request resembles the following: 1: 0000000056rxrReceiveFileFromServer~~8~~test1234.txt~~4~~3675727989 2: 0000000031~~ The first parameter of the request specifies the sub-command of rxrReceiveFileFromServer. The number "8" specifies that a file will be uploaded to the ARCserve L&D installation directory. The second argument specifies the file destination name. The third argument specifies the length of the destination file. The fifth argument specifies the CRC32 hash of the incoming file. rxRPC.dll however does not protect against directory traversals via sub-function "8". So, by using "..\" within the filename, an arbitrary file can be written to an arbitrary directory using SYSTEM-level privileges. To foster immediate exploitability, ARCserve L&D's "security.dll" can be overwritten using this "functionality", and can then be immediately loaded into memory by calling another rxrLogin request, which would now inject the potentially-malicious "security.dll" into the ARCserve L&D process. Vulnerability #5: 8 Similar Buffer Overflows Buffer overflow vulnerabilities exist within 8 other functions accessible remotely via TCP/1900. For brevity's sake, exploitable samples follow: rxsUseLicenseIni~~ rxsLicGetSiteId~~ rxsGetLogFileNames~~~~40000 rxsGetBackupLog~~aa~~~~40000 rxsBackupComplete~~aa~~aa~~aa~~~~aa rxsSetDataGrowthScheduleAndFilter~~aa~~aa~~aa~~aa~~ rxsSetDefaultConfigName~~ rxrSetMessageLogSettings~~65~~45~~79~~65~~~~52~65~73~65~61~72~ 63~68~21 The only form of mitigation for these vulnerabilities is to disable TCP/1900 at the host-level, or to uninstall ARCserve L&D server installations. Protection: Blink - Unified Client Security has proactively protected from these vulnerabilities since their discovery. Retina - Network Security Scanner has been updated to identify these vulnerabilities. Vendor Status: Computer Associates released patches for these vulnerabilities. These patches are available here: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcserveb ld-securitynotice.asp. Credit: Matt Oh, Andre Derek Protas, Yuji Ukai Related Links: Preview - Advanced Security Intelligence - http://www.eeye.com/preview Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Matt: Bugtruck subscribers Andre: GLin, Maif, SuperSoederBros, TheClaw, TheBear, DragonKick, Hugo's Drawers, Moti, Rolf, and the many eEye Ninjas Past ^ Present Keeping It Real Yuji: fourteenfourty.jp Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.