=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2006-05-17-1 ------------------------------------------------------------------------- ASPR #2006-05-17-1: Buffer Overflow In Retroclient Service ========================================================================= Document ID: ASPR #2006-05-17-1-PUB Vendor: EMC (http://www.emc.com) Target: Retrospect 7.5 Client for Windows (http://www.emcinsignia.com/products/smb/retroforwin/) Impact: A buffer overflow vulnerability in Retroclient service can be exploited to crash Retrospect clients in the network. Severity: Medium Status: Official patch available Discovered by: Luka Treiber of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2006-05-17-1-PUB.txt We would like to acknowledge Eric Baize and Jamie Albertson from EMC for extremely diligent and professional handling of the identified vulnerability. Summary ======= A buffer overflow vulnerability in Retroclient service can be exploited to crash Retrospect clients in the network. This enables an attacker to easily disable the backup process throughout an organization. Product Coverage ================ - Retrospect 7.5 Client for Windows - affected Older versions are likely to be affected as well. Analysis ======== Altering content of one of the packets sent to the client during server- client communication can result in a buffer overflow condition, which crashes the client service. Consequently, the automated backup process on the affected client no longer works. Moreover, under specific circumstances this vulnerability could be exploited for executing arbitrary code on the system running the Retrospect client. Note that access to corporate network is needed for exploiting this vulnerability as it requires an attacker to establish a network connection to a vulnerable client. Attack Scenario: The attacker is connected to a corporate network with his laptop. Using a port scanner, she locates machines with port 497 open, indicating the presence of Retroclient service. Using her malicious tool she mimics Retrospect server's behavior: simultaneously the tool connects to enumerated clients and sends them malicious data as described in the analysis above, which results in their crashing. In a short period of time all Retrospect clients in the network are disabled. Solution ======== EMC has issued a security bulletin [1] and published a patch which fixes this issue. Workaround ========== - We're not aware of any efficient workarounds for this issue. References ========== [1] EMC Retrospect Knowledgebase http://kb.dantz.com/article.asp?article=9511&p=2 Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ May 17, 2006: Initial release May 24, 2006: Added a direct link to the EMC Retrospect knowledgebase Copyright ========= (c) 2006 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====