Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                          ESB-2007.0786 -- [Win]
    CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference
                              12 October 2007


        AusCERT Security Bulletin Summary

Product:              BrightStor ARCserve Backup
Publisher:            eEye Digital Security
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-5325 CVE-2007-5326 CVE-2007-5327
                      CVE-2007-5328 CVE-2007-5329 CVE-2007-5330
                      CVE-2007-5331 CVE-2007-5332

Original Bulletin:  

- --------------------------BEGIN INCLUDED TEXT--------------------

CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference

Release Date:
October 11, 2007

Date Reported:
June 18, 2007

High (Remote Code Execution)

Computer Associates (CA)

Systems Affected:
BrightStor ARCserve Backup 11.5
BrightStor ARCserve Backup 11.1
BrightStor ARCserve Backup 11.0
BrightStor ARCserve Backup 10.5
BrightStor ARCserve Backup 9.01

eEye Digital Security has discovered a remote vulnerability in CA
BrightStor ARCserve Backup Server that allows an attacker to execute
arbitrary code as SYSTEM without any user interaction.  The exploit is
extremely reliable and can be successfully delivered either across the
internet or within local networks via a random TCP port that is
disclosed by the BrightStor portmapper service on TCP/111.

Technical Details:
A remote vulnerability lies within Queue.dll (Version 11.5.4402.15 and
prior) when handling a malformed ONRPC protocol request sent to CA
BrightStor's ARCserve Backup message queuing service, LQserver.exe.
BrightStor uses a protocol similar to a simplified version of RPC called
ONCRPC (Open Network Computing Remote Procedure Calls) and is described
in the following RFCs: 1831, 1833, and 1832.  This vulnerability is only
achieved by calling operation 0x76 (Data Queue Request) under the
process id of 0x0006097d (LQserver.exe's unique Proc ID).  After
initiating this procedure, LQServer.exe then calls the vulnerable DLL
file, Queue.dll. This procedure inadvertently processes user supplied
data and then references that data as variables without any form of
sanitation of verification.  This is demonstrated below:

100161B0 	MOV EDX,DWORD PTR DS:[ECX+4]	; Move Arbitrary Pointer
#2 into EDX
100161B3 	PUSH EDX				; Push Arbitrary
Pointer #2 onto the Stack
100161B4 	MOV EAX,DWORD PTR SS:[EBP+8]	; Move (0x0113F8A8 the
address to Arbitrary
							; Pointer #1)
into EAX
100161B7 	MOV ECX,DWORD PTR DS:[EAX]	; Move Arbitrary Pointer
#1 into ECX
100161B9 	PUSH ECX				; Push Arbitrary
Pointer #1 onto the Stack
100161BA 	CALL QUEUE.10012816		; CALL Vulnerable DLL
1001281C 	CMP DWORD PTR SS:[EBP+8],0	; EBP + 8 points to
Arbitrary Pointer #1  - This makes 
							; sure our
pointer isn't NULL.
10012820 	JNZ SHORT QUEUE.10012829	; Since our pointer
isn't NULL we jump
10012829 	MOV EAX,DWORD PTR SS:[EBP+8]	; Load Arbitrary Pointer
#1 into EAX
1001282C   	MOV DWORD PTR SS:[EBP-4],EAX	; Write Arbitrary
Pointer into EBP-4 (0x00D39618)
1001282F   	CMP DWORD PTR DS:[10037884],0	; This checks for an
error message field - NULL 
							; signifies 'The
operation completed successfully'
10012836   	JE SHORT QUEUE.10012870		; Jump is taken
10012870  	MOV EAX,DWORD PTR SS:[EBP+C]	; Move Arbitrary Pointer
#2 into EAX
10012873	PUSH EAX				; Push Arbitrary
Pointer #2 onto the stack
10012874   	PUSH QUEUE.10037884		; Push NULL
10012879   	MOV ECX,DWORD PTR SS:[EBP-4]	; Move Arbitrary Pointer
#1 into ECX
1001287C   	MOV EDX,DWORD PTR DS:[ECX]	; Move Arbitrary Pointer
#1 into EDX
1001287E  	MOV ECX,DWORD PTR SS:[EBP-4]	; Move Arbitrary Pointer
#1 into ECX
10012881  	CALL DWORD PTR DS:[EDX]		; Call Arbitrary Pointer

At this point Arbitrary Pointer #1 is referenced and called by
Queue.dll, which can then in turn can reference Arbitrary Pointer #2.
After referencing Arbitrary Pointer #2, an attacker can completely
control code execution and redirect Queue.dll to execute to their own
payload.  After exploitation, LQserver.exe crashes and must be manually
restarted by the "CA Domain Server" service.

Blink - Unified Client Security has proactively protected from these
vulnerabilities since their discovery.
Retina - Network Security Scanner has been updated to identify these

Vendor Status:
Computer Associates released patches for these vulnerabilities. These
patches are available here:

Greg Linares

Big thanks to Dre and his underappreciated development software, The
Super Soeder Bros, Master Chief Maiffret, Silva, Casey, Will, H5N1,
Apocalypse Survivor Normalboy, Laughing Man, Jerome Athias, Roland and
Waldorf Music Gear, and to all the Giraffes In Wheelchairs.

Think you have what it takes to be an eEye Engineer?
eEye Digital Security is always looking for good engineers to add to its
R&D team. If you have a passion for real-world security research and the
drive to create enterprise class solutions, check out our open
positions: http://www.eeye.com/html/company/careers/index.html.
However, if you prefer to break software rather than make it, Research
is always taking resumes at skunkworks@eeye.com.

Related Links:
Preview - Advanced Security Intelligence - http://www.eeye.com/preview
Retina - Network Security Scanner - Free Trial:
Blink - Unified Client Security Personal - Free For Home Use:
Blink - Unified Client Security Professional - Free Trial:

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically.  It is not
to be edited in any way without express consent of eEye.  If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967