Attack Code Posted for CA BrightStor Flaw

The proof-of-concept code exploits an unpatched ActiveX vulnerability in CA BrightStor ARCServe Backup to launch attacks on laptops and desktops.

Hackers have posted proof-of-concept code that could be used to launch code execution attacks against businesses using the CA BrightStor ARCserve Backup software product.
eWEEK has confirmed that the code, posted at, exploits an unpatched ActiveX vulnerability in CA BrightStor ARCserve Backup to launch client-side attacks on laptop and desktop computers.
The attack code was successfully tested on CA BrightStor ARCserve Backup r11.5 in tandem with Internet Explorer 6 (Windows XP Service Pack 2).
According to virus trackers in Symantec's DeepSight threat management system, there is a stack-based buffer overflow in the ListCtrl.ocx object. "An attacker may be able to corrupt structured exception handlers on the stack, thereby allowing arbitrary code to run. This issue can be triggered by passing a buffer to the 'AddColumn()' method," according to DeepSight analyst Aaron Adams.

Hackers are looking to steal online gaming passwords. Read more here.

The current public exploit contains a payload that executes "calc.exe" (calculator) only, but Adams said that trivial modification of the code could allow an arbitrary payload, such as one to bind a shell to a TCP port. A more malicious payload could be included without affecting the exploit's reliability, he said.
In the absence of a patch from CA, affected users are urged to set the kill bit on the affected CLSID (BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3) for workstations or terminal server computers that have the BrightStor ARCserve Backup software installed.
Instructions for disabling vulnerable ActiveX controls can be found in this Microsoft Knowledge Base article.
Symantec DeepSight also recommends:

  • Browsing the Web with the least privileges possible.
  • Disabling active content where possible.
  • Configuring operating systems to run with all available security mechanisms (such as DEP) enabled to hamper an attacker's ability to successfully leverage the vulnerability.

Serious ActiveX vulnerabilities have recently been disclosed in several widely deployed software applications, including RealPlayer's RealNetworks media player and image uploaders used by MySpace and Facebook.