CA Backup Message Engine DoS

June 25, 2009

The CA ARCserve Backup products offer data protection for distributed servers, clients, databases and applications. They offer centralized control over backup and restore operations among other services.

CA ARCserve Backup Message Engine is one of the services provided by BrightStor ARCserve Backup products. The engine accepts DCE-RPC messages on port TCP/6503 by default. DCE-RPC messages exchanged on the said port have the following common format:

 Offset  Size  Description ------- ----- ---------------------------------- 0x0000  1     Major Version, 0x05 0x0001  1     Minor Version, 0x00 0x0002  1     Packet Type, 0 for Request Packet 0x0003  1     Packet Flags, 0x80 for UUID set 0x0004  4     Data Representation 0x0008  2     Frag Length, N 0x000A  2     Auth Length 0x000C  4     Call ID 0x0010  N-16  type-specific data

A type 0 packet (request) has the following format inside the type-specific data portion:

 Offset  Size Description ------- ----- ---------------------------------- 0x0000  4     Alloc hint 0x0004  2     Context ID 0x0006  2     opcode 0x0008  N-24  Stub Data

The opcode field represents the RPC operation number. The Stub Data field contains the arguments passed to the called RPC method. The structure of the Stub Data field is opcode specific and in this case defined by the vendor, CA. It has been determined that RPC messages having opcode 0x13 have the following structure:

 long (   [in] long arg_1,   [in] short arg_2,   [in][size_is(65536), length_is(65536)] char * arg_3,   [in] long arg_4,   [out] long * arg_5 );

A denial of service vulnerability exists in the CA ARCserve Backup Message Engine. The vulnerability is due to insufficient checks on user supplied parameters when handling opcode 0x13 RPC messages. When both arg_1 and arg_4 are set to 1, and arg_3 is a string 65536 characters long, the vulnerable code will end up referencing a null pointer. That causes a memory access violation which results in the termination of the CA ARCserve Backup Message Engine. This attack may be performed by unauthenticated remote users.

SonicWALL has released an IPS signature which will detect and block generic attack attempts targeting this vulnerability. The following signature was released to address this issue.

  • 2118 - CA ARCserve Backup Message Engine DoS