BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Brightstor Backup Mediasvr.exe RPC 191

Disclosed March 29, 2007    Fully Patched

Vulnerability Description:

A remote code execution vulnerability exists within Computer Associates BrightStor Backup Mediasvr.exe. Utilizing RPC function 191 (0xbf), an attacker is able to anonymously control registers in such a way that would allow for arbitrary code execution. This code is executed under the context of SYSTEM, allowing for full system compromise.

Vendors:

Computer Associates

Vulnerable Software/Devices:

BrightStor

Vulnerability Severity:

High

Exploit Availability:

N/A

BeyondTrust Prevention and Detection:

BeyondTrust's Blink® Personal Edition protects from this vulnerability.
BeyondTrust's Blink® Professional Edition protects from this vulnerability.
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

Patch:
Vendor-Supplied Patch

Mitigation:

Now that a patch is released, the best form of mitigation is to install the patch from Computer Associates.

Non-Patch Vendor Mitigation Suggestions
1) Rename the "mediasvr.exe" file to a non-functional file name, such as "mediasvc.exe.disable".
2) Restart the CA BrightStor Tape Engine service.
NOTE: This disables command line functionality within BrightStor.

Links:

CVE-2007-1785
Public PoC Code Disclosure (Code Execution - Reverse Shell)
Initial Vendor Response

CVE(s):

None

Leave a Reply