Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.ARCSERVE_TAPEENGINE_MULTIPLE.NASL
HistoryJan 12, 2007 - 12:00 a.m.

CA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983)

2007-01-1200:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
16
JSON

This host is running BrightStor ARCServe for Windows.

The remote version of this software has multiple buffer overflow vulnerabilities in the Tape Engine MSRPC service.

An attacker, by sending a specially crafted packet, may be able to crash the affected service or execute code on the remote host.

#
# (C) Tenable Network Security, Inc.
#

# BAB r11.5 - QO84983
# BAB r11.1 - QO84984
# BAB r11.0 - QI82917
# BEB r10.5 - QO84986
# BAB v9.01 - QO84985


include("compat.inc");

if (description)
{
 script_id(24013);
 script_version("1.21");
 script_cvs_date("Date: 2018/11/15 20:50:26");

 script_cve_id("CVE-2006-6076", "CVE-2007-0168", "CVE-2007-0169");
 script_bugtraq_id(21221, 22006, 22010);

 script_name(english:"CA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983)");
 script_summary(english:"Check buffer overflow in BrightStor ARCServe for Windows");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"This host is running BrightStor ARCServe for Windows.

The remote version of this software has multiple buffer overflow
vulnerabilities in the Tape Engine MSRPC service. 

An attacker, by sending a specially crafted packet, may be able to
crash the affected service or execute code on the remote host.");
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?543ab108");
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452222/30/0/threaded");
 script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-002/");
 script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-004/");
 # https://web.archive.org/web/20070117230030/http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fda01ee");
 script_set_attribute(attribute:"solution", value:"Apply security patch QO84983.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor ARCserve Message Engine Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/01/11");
 script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/07");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows");
 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

 script_require_ports(6502);
 exit(0);
}


include ('smb_func.inc');

function RPC_Bind ()
{
 local_var ret, resp, soc;

 soc = session_get_socket ();

 ret = dce_rpc_bind(cid:session_get_cid(), uuid:"62b93df0-8b02-11ce-876c-00805f842837", vers:1);
 send (socket:soc, data:ret);
 resp = recv (socket:soc, length:4096);

 if (!resp)
   return -1;

 ret = dce_rpc_parse_bind_ack (data:resp);
 if (isnull (ret) || (ret != 0))
   return -1;

 return 0;
}


function RPCNewFSDevice ()
{
 local_var data, ret, resp, val, soc;

 soc = session_get_socket ();

 session_set_unicode (unicode:0);

 data = 
	raw_dword (d:1) +
	class_name (name:crap(data:"A", length:0x10)) ;

 session_set_unicode (unicode:1);

 ret = dce_rpc_request (code:0xCF, data:data);
 send (socket:soc, data:ret);
 resp = recv (socket:soc, length:4096);

 resp = dce_rpc_parse_response (data:resp);
 if (strlen(resp) != 4)
   return 0;

 # patch -> if (strlen(s) > 8) return 0x1d
 val = get_dword (blob:resp, pos:0);
 if (val != 0x1d)
   return 1;

 return 0;
}



port = 6502;
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp (port);
if (!soc) exit (0);

session_init (socket:soc);

ret = RPC_Bind ();
if (ret != 0)
  exit (0);

ret = RPCNewFSDevice ();
if (ret != 0)
  security_hole(port);

close (soc);
VendorProductVersionCPE
caarcserve_backupcpe:/a:ca:arcserve_backup

Related

securityvulns 6
nessus 2
saint 20
cert 4
cve 4
checkpoint_advisories 5
packetstorm 2
prion 3
zdi 3
securityvulns
securityvulns
[CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities
2007-01-12 00:00:00
ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability
2007-01-12 00:00:00
ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow Vulnerability
2007-01-12 00:00:00
nessus
nessus
CA BrightStor ARCserve Backup Multiple Vulnerabilities (QO84983)
2007-01-15 00:00:00
CA BrightStor ARCserve Backup Tape Engine and Portmapper Multiple Vulnerabilities (QO86255)
2007-03-16 00:00:00
saint
saint
BrightStor ARCserve Backup Tape Engine GetGroupStatus buffer overflow
2006-12-22 00:00:00
BrightStor ARCserve Backup Tape Engine GetGroupStatus buffer overflow
2006-12-22 00:00:00
BrightStor ARCserve Backup Tape Engine ReserveGroup buffer overflow
2006-12-26 00:00:00
cert
cert
Computer Associates BrightStor ARCserve Backup Tape Engine fails to properly handle RPC requests
2006-11-22 00:00:00
CA BrightStor ARCserve Backup Tape Engine directly calls user supplied data in RPC requests
2007-01-12 00:00:00
CA BrightStor ARCserve Backup Tape Engine RPC buffer overflow
2007-01-12 00:00:00
cve
cve
CVE-2006-6076
2006-11-24 17:07:00
CVE-2007-0168
2007-01-11 22:28:00
CVE-2007-0169
2007-01-11 22:28:00
checkpoint_advisories
checkpoint_advisories
CA BrightStor Tape Engine Buffer Overflow - Ver2 (CVE-2006-6076)
2014-04-16 00:00:00
CA BrightStor ARCserve Backup Tape Engine RPC Code Execution (CVE-2007-0168)
2010-08-11 00:00:00
CA BrightStor ARCserve Backup Tape Engine RPC Opcode 207 Buffer Overflow (CVE-2007-0169)
2010-08-29 00:00:00
packetstorm
packetstorm
CA BrightStor ARCserve Tape Engine Buffer Overflow
2009-11-26 00:00:00
CA BrightStor ARCserve Message Engine Buffer Overflow
2009-11-26 00:00:00
prion
prion
Cross site request forgery (csrf)
2007-01-11 22:28:00
Buffer overflow
2007-01-11 22:28:00
Memory corruption
2007-03-16 23:19:00
zdi
zdi
CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability
2007-01-11 00:00:00
CA BrightStor ARCserve Backup Message Engine Buffer Overflow Vulnerability
2007-01-11 00:00:00
CA BrightStor ARCserve Backup Tape Engine Buffer Overflow Vulnerability
2007-01-11 00:00:00
JSON
Related for ARCSERVE_TAPEENGINE_MULTIPLE.NASL
securityvulns6nessus2saint20cert4cve4checkpoint_advisories5packetstorm2prion3zdi3