CA BrightStor ARCserve Backup Universal Agent Remote Overflow (QO66526)

2005-04-1300:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.965

Percentile

99.6%

JSON

This host is running BrightStor ARCServe UniversalAgent.

The remote version of this software is affected by a buffer overflow vulnerability.

An attacker, by sending a specially crafted packet, may be able to execute code on the remote host.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(18041);
  script_version ("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2005-1018");
  script_bugtraq_id(13102);

  script_name(english:"CA BrightStor ARCserve Backup Universal Agent Remote Overflow (QO66526)");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host." );
  script_set_attribute(attribute:"description", value:
"This host is running BrightStor ARCServe UniversalAgent.

The remote version of this software is affected by a buffer overflow
vulnerability. 

An attacker, by sending a specially crafted packet, may be able to
execute code on the remote host." );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/395512" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to the newest version of this software, when available" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor Universal Agent Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/13");
  script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/11");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_summary(english:"Check buffer overflow in BrightStor ARCServe UniversalAgent");
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("arcserve_universalagent_detect.nasl");
  script_require_keys("ARCSERVE/UniversalAgent");
  script_require_ports (6050);
  exit(0);
}

if (!get_kb_item ("ARCSERVE/UniversalAgent")) exit (0);

port = 6050;
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp (port);
if (!soc) exit(0);

data = raw_string (0x00,0x00,0x00,0x00,0x03,0x20,0xBC,0x02);
data += crap (data:"2", length:256);
data += crap (data:"A", length:32);
data += raw_string (0x0B, 0x11, 0x0B, 0x0F, 0x03, 0x0E, 0x09, 0x0B,
                    0x16, 0x11, 0x14, 0x10, 0x11, 0x04, 0x03, 0x1C,
                    0x11, 0x1C, 0x15, 0x01, 0x00, 0x06);
data += crap (data:"A", length:390);

send (socket:soc, data:data);
ret = recv (socket:soc, length:4096);

if ((strlen(ret) == 8) && (hexstr(ret) == "0000730232320000"))
{
  security_hole(port);
}