[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup
From: "cocoruder." <frankruder () hotmail ! com>
Date: 2007-11-28 3:32:51
Message-ID: BAY129-W428706E527C59FDAB3AD08CB770 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
it is so amazing that the vendor's advisory has been released more than one month ago, (see my \
advisory of a similar vul at http://ruder.cdut.net/blogview.asp?logID=221), and another thing \
is that I have tested my reported vul again after CA's patch released one month ago, but in \
fact they have not fixed it!! I report it again to CA but there is no response, I guess CA is \
making an international joke with us:), or because this product is sooooooooo bad that they \
will not support it any more?
welcome to my blog:http://ruder.cdut.net
> From: zdi-disclosures@3com.com> To: full-disclosure@lists.grok.org.uk; \
> bugtraq@securityfocus.com> Date: Mon, 26 Nov 2007 16:10:30 -0600> Subject: [Full-disclosure] \
> ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure \
> Vulnerability> > ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method > \
> Exposure Vulnerability> http://www.zerodayinitiative.com/advisories/ZDI-07-069.html> November \
> 26, 2007> > -- CVE ID:> CVE-2007-5328> > -- Affected Vendor:> Computer Associates> > -- \
> Affected Products:> BrightStor ARCserve Backup r11.5> BrightStor ARCserve Backup r11.1> \
> BrightStor ARCserve Backup r11.0> BrightStor Enterprise Backup r10.5> BrightStor ARCserve \
> Backup v9.01> > -- TippingPoint(TM) IPS Customer Protection:> TippingPoint IPS customers have \
> been protected against this> vulnerability by Digital Vaccine protection filter ID 5144. > \
> For further product information on the TippingPoint IPS:> > http://www.tippingpoint.com > > \
> -- Vulnerabil
ity Details:> This vulnerability allows attackers to arbitrarily access and modify the> file \
system and registry of vulnerable installations of Computer> Associates BrightStor ARCserve \
Backup. Authentication is not required> to exploit this vulnerability.> > The specific flaws \
exists in the Message Engine RPC service which> listens by default on TCP port 6504 with the \
following UUID:> > 506b1890-14c8-11d1-bbc3-00805fa6962e> > The service exposes a number of \
insecure method calls including: 0x17F,> 0x180, 0x181, 0x182, 0x183, 0x184, 0x185, 0x186, \
0x187, 0x188, 0x189,> 0x18A, 0x18B, and 0x18C. Attackers can leverage these methods to> \
manipulate both the file system and registry which can result in a> complete system \
compromise.> > -- Vendor Response:> Computer Associates has issued an update to correct this \
vulnerability.> More details can be found at:> > \
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp> > -- Disclosure \
Timeline:> 2007.01.12 - Vulnerabi lity reported to vendor> 2007.11.26 - Coordinated public \
release of advisory> > -- Credit:> This vulnerability was discovered by Tenable Network \
Security.> > -- About the Zero Day Initiative (ZDI):> Established by TippingPoint, The Zero Day \
Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for \
responsibly> disclosing discovered vulnerabilities.> > Researchers interested in getting paid \
for their security research> through the ZDI can find more information and sign-up at:> > \
http://www.zerodayinitiative.com> > The ZDI is unique in how the acquired vulnerability \
information is used.> 3Com does not re-sell the vulnerability details or any exploit code.> \
Instead, upon notifying the affected product vendor, 3Com provides its> customers with zero day \
protection through its intrusion prevention> technology. Explicit details regarding the \
specifics of the> vulnerability are not exposed to any parties until an official vendor> patch \
is publicly av ailable. Furthermore, with the altruistic aim of> helping to secure a broader \
user base, 3Com provides this vulnerability> information confidentially to security vendors \
(including competitors)> who have a vulnerability protection or mitigation product.> > \
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,> is being sent by 3Com \
for the sole use of the intended recipient(s) and> may contain confidential, proprietary and/or \
privileged information.> Any unauthorized review, use, disclosure and/or distribution by any > \
recipient is prohibited. If you are not the intended recipient, please> delete and/or destroy \
all copies of this message regardless of form and> any included attachments and notify 3Com \
immediately by contacting the> sender via reply e-mail or forwarding to 3Com at \
postmaster@3com.com. > _______________________________________________> Full-Disclosure - We \
believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and \
sponsored by Secunia - http://secunia.com/ \
_________________________________________________________________ Óà Live Search ËѾ¡ÌìÏ ×ÊѶ£¡
http://www.live.com/?searchOnly=true
[Attachment #5 (text/html)]
<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 9pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
it is so amazing that the vendor's advisory has been released more than one month ago, (see my \
advisory of a similar vul at <A \
href="http://ruder.cdut.net/blogview.asp?logID=221">http://ruder.cdut.net/blogview.asp?logID=221</A>), \
and another thing is that I have tested my reported vul again after CA's patch released one \
month ago, but in fact they have not fixed it!! I report it again to CA but there is no \
response, I guess CA is making an international joke with us:), or because this product is \
sooooooooo bad that they will not support it any more?<BR> <BR>
<BR><BR>welcome to my blog:<BR><A href="http://ruder.cdut.net">http://ruder.cdut.net</A><BR>
<BR>
<BR><BR>> From: zdi-disclosures@3com.com<BR>> To: full-disclosure@lists.grok.org.uk; \
bugtraq@securityfocus.com<BR>> Date: Mon, 26 Nov 2007 16:10:30 -0600<BR>> Subject: \
[Full-disclosure] ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method \
Exposure Vulnerability<BR>> <BR>> ZDI-07-069: CA BrightStor ARCserve Backup Message \
Engine Insecure Method <BR>> Exposure Vulnerability<BR>> \
http://www.zerodayinitiative.com/advisories/ZDI-07-069.html<BR>> November 26, 2007<BR>> \
<BR>> -- CVE ID:<BR>> CVE-2007-5328<BR>> <BR>> -- Affected Vendor:<BR>> Computer \
Associates<BR>> <BR>> -- Affected Products:<BR>> BrightStor ARCserve Backup \
r11.5<BR>> BrightStor ARCserve Backup r11.1<BR>> BrightStor ARCserve Backup r11.0<BR>> \
BrightStor Enterprise Backup r10.5<BR>> BrightStor ARCserve Backup v9.01<BR>> <BR>> -- \
TippingPoint(TM) IPS Customer Protection:<BR>> TippingPoint IPS customers have been \
protected ag ainst this<BR>> vulnerability by Digital Vaccine protection filter ID 5144. \
<BR>> For further product information on the TippingPoint IPS:<BR>> <BR>> \
http://www.tippingpoint.com <BR>> <BR>> -- Vulnerability Details:<BR>> This \
vulnerability allows attackers to arbitrarily access and modify the<BR>> file system and \
registry of vulnerable installations of Computer<BR>> Associates BrightStor ARCserve Backup. \
Authentication is not required<BR>> to exploit this vulnerability.<BR>> <BR>> The \
specific flaws exists in the Message Engine RPC service which<BR>> listens by default on TCP \
port 6504 with the following UUID:<BR>> <BR>> \
506b1890-14c8-11d1-bbc3-00805fa6962e<BR>> <BR>> The service exposes a number of insecure \
method calls including: 0x17F,<BR>> 0x180, 0x181, 0x182, 0x183, 0x184, 0x185, 0x186, 0x187, \
0x188, 0x189,<BR>> 0x18A, 0x18B, and 0x18C. Attackers can leverage these methods to<BR>> \
manipulate both the file syste m and registry which can result in a<BR>> complete system \
compromise.<BR>> <BR>> -- Vendor Response:<BR>> Computer Associates has issued an \
update to correct this vulnerability.<BR>> More details can be found at:<BR>> <BR>> \
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp<BR>> <BR>> -- \
Disclosure Timeline:<BR>> 2007.01.12 - Vulnerability reported to vendor<BR>> 2007.11.26 - \
Coordinated public release of advisory<BR>> <BR>> -- Credit:<BR>> This vulnerability \
was discovered by Tenable Network Security.<BR>> <BR>> -- About the Zero Day Initiative \
(ZDI):<BR>> Established by TippingPoint, The Zero Day Initiative (ZDI) represents <BR>> a \
best-of-breed model for rewarding security researchers for responsibly<BR>> disclosing \
discovered vulnerabilities.<BR>> <BR>> Researchers interested in getting paid for their \
security research<BR>> through the ZDI can find more information and sign-up at:<BR> > \
<BR>> http://www.zerodayinitiative.com<BR>> <BR>> The ZDI is unique in how the \
acquired vulnerability information is used.<BR>> 3Com does not re-sell the vulnerability \
details or any exploit code.<BR>> Instead, upon notifying the affected product vendor, 3Com \
provides its<BR>> customers with zero day protection through its intrusion \
prevention<BR>> technology. Explicit details regarding the specifics of the<BR>> \
vulnerability are not exposed to any parties until an official vendor<BR>> patch is publicly \
available. Furthermore, with the altruistic aim of<BR>> helping to secure a broader user \
base, 3Com provides this vulnerability<BR>> information confidentially to security vendors \
(including competitors)<BR>> who have a vulnerability protection or mitigation \
product.<BR>> <BR>> CONFIDENTIALITY NOTICE: This e-mail message, including any \
attachments,<BR>> is being sent by 3Com for the sole use of the intended recipient(s) and<BR \
>> may contain confidential, proprietary and/or privileged information.<BR>> Any \
> unauthorized review, use, disclosure and/or distribution by any <BR>> recipient is \
> prohibited. If you are not the intended recipient, please<BR>> delete and/or destroy all \
> copies of this message regardless of form and<BR>> any included attachments and notify \
> 3Com immediately by contacting the<BR>> sender via reply e-mail or forwarding to 3Com at \
> postmaster@3com.com. <BR>> _______________________________________________<BR>> \
> Full-Disclosure - We believe in it.<BR>> Charter: \
> http://lists.grok.org.uk/full-disclosure-charter.html<BR>> Hosted and sponsored by Secunia \
> - http://secunia.com/<BR><BR><br /><hr />±È¶û¸Ç´ÄµÄµçÄÔÀï¸Õ¸Õ°²×°µÄÈí¼þ¡ª¡ªÐ Ò»´úµÄWindows \
> Live 2.0£¡ <a href='http://get.live.cn' target='_new'>Á¢¿ÌÌåÑ飡</a></body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic