CA Multiple Product DBASVR RPC Server Pointer Arithmetic VulnerablitiesTPTI-07-19: October 16th, 2007
BrightStor ARCserve Backup r11
BrightStor Enterprise Backup r10
BrightStor ARCserve Backup r9
Server Protection Suite r2
Business Protection Suite r2
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5705. For further product information on the TippingPoint IPS:
Vulnerability DetailsThese vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit these vulnerabilities and both client and servers are affected.
The problem specifically exists within DBASVR.exe, the Backup Agent RPC Server. This service exposes a number of vulnerable RPC routines through a TCP endpoint with ID 88435ee0-861a-11ce-b86b-00001b27f656 on port 6071. The vulnerable routines include at least opcodes 0x04, 0x0c, 0x10, 0x12 and 0x13. The vulnerability in the case of each of the listed opcodes is that a user-supplied DWORD is used in the pointer calculation of a source string that is later copied, without bounds checking, to a 256-byte stack based buffer.
Vendor ResponseComputer Associates has issued an update to correct this vulnerability. More details can be found at:
2006-11-01 - Vulnerability reported to vendor
2007-10-16 - Coordinated public release of advisory