cbcvebase.
CVE-2005-0581
published 2005-05-02

CVE-2005-0581: Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long…

PriorityP348medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
46.34%
98.7th percentile
Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.

Affected

1 ranges
VendorProductVersion rangeFixed in
broadcomlicense_software

Detection & IOCsextracted from sources · hover to see the quote

port10203
port10202
commandA0 GETCONFIG SELF 0
commandA0 GETSERVER
commandA0 GETCONFIG SELF ${buff}
pathlicscvr.dll
port101
  • Detect exploitation of the CA License Client by monitoring for inbound connections to a fake CA License Server on port 10202 followed by an oversized 'A0 GETCONFIG SELF' response packet.
  • Return addresses used in exploits targeting ws2help.dll can be used as signatures: 0x750217ae, 0x71aa16e5, 0x71aa1b22, 0x71bf175f for jmp/call esi; 0x75021421, 0x71aa19e8, 0x71aa1e08, 0x71bf1a2c for jmp edi.
  • The exploit payload contains null byte (0x00) and space (0x20) as bad characters; any CA License protocol packet containing these bytes in the GETCONFIG parameter field is anomalous and should be flagged.
  • Monitor for the CA License protocol banner/greeting containing 'GETCONFIG' on TCP port 10202; absence of expected greeting after connection may indicate exploitation in progress.
  • The class101 exploit constructs a payload starting with bytes 0x47 0x42 0x52 0x20 ('GBR '), followed by 3208 NOP bytes, with EIP overwrite at offset 2028 and shellcode at offset 2042; detect large GBR packets on port 10203.
  • The CA License service auto-bans after one connection attempt; a single oversized GETCONFIG packet followed by service unresponsiveness is a strong indicator of exploitation.
  • ·The CA License Client exploit (calicclnt_getconfig) requires the attacker's IP to be resolvable from the target; on Windows without UDP port 137 filtering, NetBIOS name resolution handles this automatically on the same network segment.
  • ·Due to a software bug in the CA License agent, only one connection is allowed before the service starts ignoring further connections, limiting repeated exploitation attempts.
  • ·The GCR request format used by eTrust, BrightStor, and lic98rmt.exe v0.1.0.15 follows a specific field order; detection rules should account for all three product variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.