CA ARCserve Backup for Laptops and Desktops LGServer password integer overflow

2008-11-28T00:00:00
ID SAINT:45503A76601FACFC0D9030D85D5CFB2C
Type saint
Reporter SAINT Corporation
Modified 2008-11-28T00:00:00

Description

Added: 11/28/2008
CVE: CVE-2007-5004
BID: 24348
OSVDB: 41352

Background

BrightStor ARCserve Backup for Laptops and Desktops is an automated backup solution optimized for low-bandwidth, intermittent network connections.

Problem

An integer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a specially crafted authentication password to the LGServer service.

Resolution

Apply the appropriate update referenced in the CA Security Notice.

References

<http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35675>
<http://archives.neohapsis.com/archives/bugtraq/2007-09/0287.html>

Limitations

Exploit works on CA ARCserve Backup for Laptops and Desktops 11.1 SP2.

This exploit does not work on Windows Server 2003 with DEP enabled.

Platforms

Windows 2000
Windows Server 2003