The proof-of-concept code exploits an unpatched ActiveX
vulnerability in CA BrightStor ARCServe Backup to launch attacks on
laptops and desktops. Hackers have posted proof-of-concept code that could be used to launch code
execution attacks against businesses using the CA BrightStor ARCserve
Backup software product.
eWEEK has confirmed that the code, posted
at Milw0rm.com, exploits an unpatched ActiveX vulnerability in CA
BrightStor ARCserve Backup to launch client-side attacks on laptop and desktop
computers.
The attack code was successfully tested on CA BrightStor ARCserve Backup
r11.5 in tandem with Internet Explorer 6 (Windows XP Service Pack 2).
According to virus trackers in Symantec's DeepSight threat management system,
there is a stack-based buffer overflow in the ListCtrl.ocx
object. "An attacker may be able to corrupt structured exception
handlers on the stack, thereby allowing arbitrary code to run. This issue can
be triggered by passing a buffer to the 'AddColumn()' method," according
to DeepSight analyst Aaron Adams.
Hackers are looking to steal online gaming passwords. Read more here.
The current public exploit contains a payload that executes "calc.exe"
(calculator) only, but
Adams said that trivial
modification of the code could allow an arbitrary payload, such as one to bind
a shell to a
TCP port. A more malicious
payload could be included without affecting the exploit's reliability, he said.
In the absence of a patch from CA, affected users are urged to set the kill bit
on the affected CLSID (BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3) for workstations
or terminal server computers that have the BrightStor ARCserve Backup software
installed.
Instructions for disabling vulnerable ActiveX controls can be found in this
Microsoft Knowledge Base article.
Symantec DeepSight also recommends:
- Browsing the Web with the
least privileges possible.
- Disabling active content
where possible.
- Configuring operating systems
to run with all available security mechanisms (such as DEP) enabled to
hamper an attacker's ability to successfully leverage the vulnerability.
Serious ActiveX vulnerabilities have recently been disclosed in several
widely deployed software applications, including RealPlayer's RealNetworks media
player and image uploaders used by MySpace and Facebook.
