CA ARCserve is vulnerable to a Denial of Service when a crafted
RPC packet is sent to the Message engine service listening at
6503/TCP port.
The interface informations are as follows:
[
uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),
version(1.0)
]
interface mIDA_interface
{
/* opcode: 0x13 */
long (
[in] long arg_1,
[in] short arg_2,
[in][size_is(65536), length_is(65536)] char * arg_3,
[in] long arg_4,
[out] long * arg_5
);
}
Example Malicious Parameters:
arg_1 = 0x1
arg_4 = 0x1
arg_3 = { a character array of 65536 }
The above parameters will crash the message engine service. The bug exists in
the ASCORE module and there exists more than one way to
reach the vulnerable code segment.
; Buggy code @ASCORE module of msgeng.exe process
; running at 6503/TCP port
2123A736 6A 00 PUSH 0 ; Pushes 0x0
2123A738 55 PUSH EBP
2123A739 E8 F20B0000 CALL ASCORE.2123B330
2123A73E 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
#ASCORE.2123B330
2123B330 51 PUSH ECX
2123B331 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] ; Copies 0x0 from stack to ECX
2123B335 8A81 1E010000 MOV AL,BYTE PTR DS:[ECX+11E] ; Bug: Access Violation
2123B33B 3C 03 CMP AL,3
