SecuriTeam"! - CA BrightStor ARCServe BackUp Message Engine Command Injection Vulnerability(情報元のブックマーク数)
CA ARCserve Backup Multiple Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com(情報元のブックマーク数) - まっちゃだいふくの日記★とれんどふりーく★で書いた、ArcServeのMessageEngineにコマンドインジェクションの脆弱性でExploitがでています。
Service named "CA BrightStor Message Engine" (Process Name: msgeng.exe) registers a RPC interface which is listening on TCP port 6504, following is some related information:
CA BrightStor ARCServe BackUp Message Engine Command Injection Vulnerability
UUID : 506b1890-14c8-11d1-bbc3-00805fa6962e
Version : 1.0
Listen Port : 6504
Remarkably, we can access this interface anonymously via "ncacn_ip_tcp". The following is the IDL of the function of opnum 0x10A:
うほっwwww超簡単w
First, the first parameter (victim's computer name) should equal to the real computer name. Second, when we change the string "aaa.exe" such as "../aaa.exe", it will bypass the current directory, if the program has been installed by default, transferring the following string will reach the "cmd.exe" and add an user with "CCC"/"ZZZ"(username/password) on the affected system:
CA BrightStor ARCServe BackUp Message Engine Command Injection Vulnerability
../../../../../../../..//winnt//system32//cmd.exe /c \"net user CCC ZZZ /add\" ||