Vulnerabilities > CVE-2008-5415

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
broadcom
ca
nessus

Summary

The LDBserver service in the server in CA ARCserve Backup 11.1 through 12.0 on Windows allows remote attackers to execute arbitrary code via a handle_t argument to an RPC endpoint in which the argument refers to an incompatible procedure.

Vulnerable Configurations

Part Description Count
Application
Broadcom
1
Application
Ca
2
OS
Microsoft
1

Nessus

NASL familyWindows
NASL idARCSERVE_BACKUP_CVE-2008-5415.NASL
descriptionThe version of CA ARCserve Backup installed in the remote hosted is affected by a remote code execution vulnerability. A remote attacker can exploit this vulnerability by providing a specially crafted handle_t argument to an RPC endpoint for the LDBserver service.
last seen2020-06-01
modified2020-06-02
plugin id69513
published2013-08-26
reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/69513
titleComputer Associates ARCserve Backup LDBserver Remote Code Execution Vulnerability
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69513);
  script_version("1.6");
  script_cvs_date("Date: 2018/06/27 18:42:27");

  script_cve_id("CVE-2008-5415");
  script_bugtraq_id(32764);

  script_name(english:"Computer Associates ARCserve Backup LDBserver Remote Code Execution Vulnerability");
  script_summary(english:"Checks version of ARCserve");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote code execution vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of CA ARCserve Backup installed in the remote hosted is
affected by a remote code execution vulnerability.  A remote attacker
can exploit this vulnerability by providing a specially crafted
handle_t argument to an RPC endpoint for the LDBserver service."
  );
  # https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=194293
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?c87e2a14");
  script_set_attribute(
    attribute:"solution",
    value:"Apply the appropriate patch per the vendor's advisory."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vuln_publication_date",value:"2008/12/10");
  script_set_attribute(attribute:"patch_publication_date",value:"2008/12/10");
  script_set_attribute(attribute:"plugin_publication_date",value:"2013/08/26");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:ca:arcserve_backup");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_require_keys("SMB/Registry/Enumerated", "SMB/CA ARCserve Backup/Installed");
  script_dependencies("arcserve_backup_server_installed.nasl");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

appname = 'CA ARCserve Backup';

get_kb_item_or_exit('SMB/CA ARCserve Backup/Installed');

path = get_kb_item_or_exit('SMB/CA ARCserve Backup Server/Path');
version = get_kb_item_or_exit('SMB/CA ARCserve Backup Server/Version');

report = '';

# 12.x < SP1 (12.1)
if(version =~ "^12\.0\.")
{
  report += '\n  Installed Version : ' + version +
            '\n  Fixed Version     : 12.1' +
            '\n  Required Patch    : RO01340\n'; 
}
# check for individual patches
else
{
  registry_init();
  port = kb_smb_transport();

  login   =  kb_smb_login();
  pass    =  kb_smb_password();
  domain  =  kb_smb_domain();

  if(path[strlen(path) - 1] == "\")
    file = path + "DBserver.dll";
  else
    file = path + "\DBserver.dll";
    
  share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\1$', string:file);
  dll =  ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\1', string:file);
 
  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
    audit(AUDIT_SHARE_FAIL, share);

  fh = CreateFile(
    file:dll,
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );

  if (isnull(fh)) 
  {
    NetUseDel();
    exit(1, 'Unable to get timestamp of "DBserver.dll".');
  }

  ver = GetFileVersion(handle:fh);
  if (!isnull(ver))
  {
    version = join(ver, sep:'.');
  }
  else
  {
    NetUseDel();
    exit(1, 'Unable to get timestamp of "DBserver.dll".');
  }

  ret = GetFileVersionEx(handle:fh);
  CloseFile(handle:fh);
  
  NetUseDel();

  if (!isnull(ret))
    timestamp = int(ret['dwTimeDateStamp']);
  else
    exit(1, 'Unable to get timestamp of "DBserver.dll".');

  if(version =~ "^11\.5\.")
  {
    # 11.5 - Patch RO04383
    # Fixed timestamp
    # 1227625217
    # Tuesday, November 25, 2008 10:00:17 AM
    if(timestamp < 1227625217)
    {
      report += '\n  Installed Version      : ' + version + 
                '\n  DBserver.dll Timestamp : ' + timestamp +
                '\n  Fixed Timestamp        : 1227625217' +
                '\n  Required Patch         : RO04383\n';
    }
  } 
  else if(version =~ "^11\.1\.")
  {
    # 11.1 - Patch R004382
    # Fixed timestamp
    # 1227623541
    # Tuesday, November 25, 2008 9:32:21 AM EST
    if(timestamp < 1227623541)
    {
      report += '\n  Installed Version      : ' + version + 
                '\n  DBserver.dll Timestamp : ' + timestamp +
                '\n  Fixed Timestamp        : 1227623541' +
                '\n  Required Patch         : RO04382\n';
    }
  }
}

if(report == '')
  audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);

if(report_verbosity > 0)
  security_hole(port:port, extra:report);
else
  security_hole(port);