BrightStor Discovery service buffer overflow (BrightStor_Discovery_UDP_Overflow)
About this signature or vulnerability
RealSecure Server Sensor, RealSecure Network Sensor:
This signature detects a specially-crafted overflow request to port 41524/UDP.
Default risk level
High
Sensors that have this signature
RealSecure Server Sensor: XPU 24.31, RealSecure Network Sensor: XPU 24.31
Systems affected
Windows: 95, Windows: 98, Windows NT: 4.0, Windows: 98 Second Edition, Windows 2000: Any version, Windows: XP, Windows: Me, BrightStor ARCserve Backup for Windows: r11.1, BrightStor Enterprise Backup: 10.5, BrightStor ARCserve for NetWare: r11.1, BrightStor ARCserve Backup for Windows: 2000 Japanese, BrightStor ARCserve Backup for Windows: r11.0, BrightStor Enterprise Backup for Window: v10.0, BrightStor ARCserve Backup for Windows: v9.0, BrightStor ARCserve Backup-Win(64 bit): r11.1, BrightStor ARCserve Backup-Win(64 bit): r11.0, BrightStor Enterprise Backup-Win(64 bit: v10.5, BrightStor ARCserve for NetWare: v9, Windows 2003: Any version
Type
Unauthorized Access Attempt
Vulnerability description
BrightStor ARCserve Backup, BrightStor Enterprise Backup and BrightStor ARCserve 2000 are vulnerable to a buffer overflow, caused by improper bounds checking in the Discovery service. A remote attacker could exploit this vulnerability to overflow a buffer and possibly cause a denial of service or execute arbitrary code on the system.
How to remove this vulnerability
For BrightStor ARCserve Backup v9.0, r11.0, and r11.1 for Windows:
Upgrade to the latest BrightStor ARCserve Backup for Windows, available from the BrightStor Web site. See References.
BrightStor Enterprise Backup version v10.0 and v10.5 for Windows:
Upgrade to the latest BrightStor Enterprise for Windows, available from the BrightStor Web site. See References.
BrightStor ARCserve Backup version r11.0 and r11.1 for Windows (64 Bit Edition):
Upgrade to the latest BrightStor ARCserve Backup for Windows, available from the BrightStor Web site. See References.
BrightStor Enterprise Backup v10.5 for Windows (64 Bit Edition):
Upgrade to the latest BrightStor Enterprise for Windows (64 Bit Edition), available from the BrightStor Web site. See References.
BrightStor ARCserve Backup v9.01 for Windows (64 Bit Edition):
Upgrade to the latest BrightStor Enterprise for Windows (64 Bit Edition), available from the BrightStor Web site. See References.
BrightStor ARCserve 2000 Backup for Windows (Japanese Only):
Upgrade to the latest BrightStor ARCserve 2000 Backup for Windows (Japanese), available from the BrightStor Web site. See References.
BrightStor ARCserve Backup v9 and r11.1 for NetWare:
Upgrade to the latest BrightStor ARCserve Backup for Netware, available from the BrightStor Web site. See References.
実証コード
msf cabrightstor_disco(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target cheyprod.dll 12/12/2003
[*] Sending 4096 bytes to remote host.
[*] Exiting Bind Handler.
検知イベント
References
Secunia Security Advisory: SA14183
BrightStor ARCserve Backup Discovery Service Buffer Overflow
http://secunia.com/advisories/14183/
BrightStor updates Web site
BrightStor updates
http://supportconnect.ca.com/sc/support/Index
US-CERT Vulnerability Note VU#864801
Computer Associates BrightStor ARCserve Backup Discovery Service vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/864801
ISS X-Force
BrightStor Discovery service buffer overflow
http://www.iss.net/security_center/static/19251.php
CVE
CVE-2005-0260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0260