Alerts
Alerts
Zero-Day Tracker
Common Name:
Brightstor Backup Mediasvr.exe RPC 191
Date Disclosed:
3/29/2007
Date Patched:
4/24/2007
Vendor:
Computer Associates
Application:
BrightStor
Description:
A remote code execution vulnerability exists within Computer Associates BrightStor Backup Mediasvr.exe. Utilizing RPC function 191 (0xbf), an attacker is able to anonymously control registers in such a way that would allow for arbitrary code execution. This code is executed under the context of SYSTEM, allowing for full system compromise.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution as SYSTEM
This vulnerability can be exploited anonymously against BrightStor, allowing for a remote attacker to run arbitrary code under SYSTEM in order to obtain full system access.
Mitigation:
Now that a patch is released, the best form of mitigation is to install the patch from Computer Associates.
Non-Patch Vendor Mitigation Suggestions
1) Rename the "mediasvr.exe" file to a non-functional file name, such as "mediasvc.exe.disable".
2) Restart the CA BrightStor Tape Engine service.
NOTE: This disables command line functionality within BrightStor.
Protection:
Vendor-Supplied Patch
Links:
CVE-2007-1785
Public PoC Code Disclosure (Code Execution - Reverse Shell)
Initial Vendor Response
Status:
3/29/2007: Proof-of-Concept Disclosed Publicly on Milw0rm
4/24/2007: Vendor-Supplied Patch Released
Common Name:
Brightstor Backup Mediasvr.exe RPC 191
Date Disclosed:
3/29/2007
Date Patched:
4/24/2007
Vendor:
Computer Associates
Application:
BrightStor
Description:
A remote code execution vulnerability exists within Computer Associates BrightStor Backup Mediasvr.exe. Utilizing RPC function 191 (0xbf), an attacker is able to anonymously control registers in such a way that would allow for arbitrary code execution. This code is executed under the context of SYSTEM, allowing for full system compromise.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution as SYSTEM
This vulnerability can be exploited anonymously against BrightStor, allowing for a remote attacker to run arbitrary code under SYSTEM in order to obtain full system access.
Mitigation:
Now that a patch is released, the best form of mitigation is to install the patch from Computer Associates.
Non-Patch Vendor Mitigation Suggestions
1) Rename the "mediasvr.exe" file to a non-functional file name, such as "mediasvc.exe.disable".
2) Restart the CA BrightStor Tape Engine service.
NOTE: This disables command line functionality within BrightStor.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Vendor-Supplied Patch
Links:
CVE-2007-1785
Public PoC Code Disclosure (Code Execution - Reverse Shell)
Initial Vendor Response
Status:
3/29/2007: Proof-of-Concept Disclosed Publicly on Milw0rm
4/24/2007: Vendor-Supplied Patch Released
