TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

CA Multiple Product DBASVR RPC Server Pointer Arithmetic Vulnerablities

TPTI-07-19: October 16th, 2007

CVE ID

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5705. For further product information on the TippingPoint IPS:

Vulnerability Details

These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit these vulnerabilities and both client and servers are affected.

The problem specifically exists within DBASVR.exe, the Backup Agent RPC Server. This service exposes a number of vulnerable RPC routines through a TCP endpoint with ID 88435ee0-861a-11ce-b86b-00001b27f656 on port 6071. The vulnerable routines include at least opcodes 0x04, 0x0c, 0x10, 0x12 and 0x13. The vulnerability in the case of each of the listed opcodes is that a user-supplied DWORD is used in the pointer calculation of a source string that is later copied, without bounds checking, to a 256-byte stack based buffer.

Vendor Response

Computer Associates has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2006-11-01 - Vulnerability reported to vendor
    2007-10-16 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: