Oh man you are a super star !!! but why no fix ???<br><br><div class="gmail_quote">On Mon, Mar 10, 2008 at 11:47 PM, Luigi Auriemma <<a href="mailto:aluigi@autistici.org">aluigi@autistici.org</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
#######################################################################<br>
<br>
Luigi Auriemma<br>
<br>
Application: Acronis True Image Group Server<br>
<a href="http://www.acronis.com/enterprise/products/ATIES/group-server.html" target="_blank">http://www.acronis.com/enterprise/products/ATIES/group-server.html</a><br>
Versions: <= <a href="http://1.5.19.191" target="_blank">1.5.19.191</a><br>
(included in Acronis True Image Enterprise Server<br>
9.5.0.8072 and the other True Image packages)<br>
Platforms: Windows<br>
Bug: invalid memory access<br>
Exploitation: remote<br>
Date: 08 Mar 2008<br>
Author: Luigi Auriemma<br>
e-mail: <a href="mailto:aluigi@autistici.org">aluigi@autistici.org</a><br>
web: <a href="http://aluigi.org" target="_blank">aluigi.org</a><br>
<br>
<br>
#######################################################################<br>
<br>
<br>
1) Introduction<br>
2) Bug<br>
3) The Code<br>
4) Fix<br>
<br>
<br>
#######################################################################<br>
<br>
===============<br>
1) Introduction<br>
===============<br>
<br>
<br>
Acronis Group Server is a component of Acronis True Image Echo Server<br>
(Workstation and Enterprise packages) which "allows the viewing and<br>
managing of backup tasks for all systems in the network from the<br>
Acronis Management Console".<br>
<br>
<br>
#######################################################################<br>
<br>
======<br>
2) Bug<br>
======<br>
<br>
<br>
The packets used by this server contain some 16 bit fields which<br>
specify the length of the subsequent data.<br>
The problem is that the memory assigned for each packet is about 2048<br>
bytes so the server allocates the amount of memory specified by that 16<br>
bit field and then tries to copy the data from the packet into this new<br>
buffer with the subsequent crash of the service due to an invalid read<br>
access.<br>
<br>
<br>
#######################################################################<br>
<br>
===========<br>
3) The Code<br>
===========<br>
<br>
<br>
<a href="http://aluigi.org/poc/acrogroup.txt" target="_blank">http://aluigi.org/poc/acrogroup.txt</a><br>
<br>
nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt<br>
<br>
<br>
#######################################################################<br>
<br>
======<br>
4) Fix<br>
======<br>
<br>
<br>
No fix<br>
<br>
<br>
#######################################################################<br>
<br>
<br>
---<br>
Luigi Auriemma<br>
<a href="http://aluigi.org" target="_blank">http://aluigi.org</a><br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>