Attack Code Posted for CA BrightStor Flaw
The proof-of-concept code exploits an unpatched ActiveX vulnerability in CA BrightStor ARCServe Backup to launch attacks on laptops and desktops.Hackers have posted proof-of-concept code that could be used to launch code execution attacks against businesses using the CA BrightStor ARCserve Backup software product.
eWEEK has confirmed that the code, posted at Milw0rm.com, exploits an unpatched ActiveX vulnerability in CA BrightStor ARCserve Backup to launch client-side attacks on laptop and desktop computers.
The attack code was successfully tested on CA BrightStor ARCserve Backup r11.5 in tandem with Internet Explorer 6 (Windows XP Service Pack 2).
According to virus trackers in Symantec's DeepSight threat management system, there is a stack-based buffer overflow in the ListCtrl.ocx object. "An attacker may be able to corrupt structured exception handlers on the stack, thereby allowing arbitrary code to run. This issue can be triggered by passing a buffer to the 'AddColumn()' method," according to DeepSight analyst Aaron Adams. Hackers are looking to steal online gaming passwords. Read more here.
The current public exploit contains a payload that executes "calc.exe" (calculator) only, but
In the absence of a patch from CA, affected users are urged to set the kill bit on the affected CLSID (BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3) for workstations or terminal server computers that have the BrightStor ARCserve Backup software installed.
Instructions for disabling vulnerable ActiveX controls can be found in this Microsoft Knowledge Base article.
Symantec DeepSight also recommends:
- Browsing the Web with the least privileges possible.
- Disabling active content where possible.
- Configuring operating systems to run with all available security mechanisms (such as DEP) enabled to hamper an attacker's ability to successfully leverage the vulnerability.