####################################################################### Luigi Auriemma Application: eTrust Secure Content Manager http://www.ca.com/us/products/product.aspx?id=4673 Versions: eCSqdmn <= 8.0.28000.511 Platforms: Windows Bugs: Denial of Service in eCSqdmn Exploitation: remote Date: 18 Apr 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: CA SCM "is a gateway product that secures, monitors, filters and blocks potential threats from messaging and Web traffic. It protects you against viruses, spam, phishing, P2P file sharing, malicious mobile code and prevents access to known spyware sites." ####################################################################### ======= 2) Bugs ======= The eTrust Common Services (Transport) Daemon (eCSqdmn) listening on port 1882 is affected by a vulnerability caused by an unchecked 32 bit number passed by the client which is used to advance on the next data block. The effects resulting by the usage of a malformed value are the crashing of the service, which will be automatically restarted after some seconds so the attacker needs to keep it down at regular intervals, or CPU at 100% caused by an endless loop in the continuous handling of the same data. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ecsqdamn.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################