CVE-2005-0581
published 2005-05-02CVE-2005-0581: Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long…
PriorityP348medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
46.34%
98.7th percentile
Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | license_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation of the CA License Client by monitoring for inbound connections to a fake CA License Server on port 10202 followed by an oversized 'A0 GETCONFIG SELF' response packet. ↗
- →Return addresses used in exploits targeting ws2help.dll can be used as signatures: 0x750217ae, 0x71aa16e5, 0x71aa1b22, 0x71bf175f for jmp/call esi; 0x75021421, 0x71aa19e8, 0x71aa1e08, 0x71bf1a2c for jmp edi. ↗
- →The exploit payload contains null byte (0x00) and space (0x20) as bad characters; any CA License protocol packet containing these bytes in the GETCONFIG parameter field is anomalous and should be flagged. ↗
- →Monitor for the CA License protocol banner/greeting containing 'GETCONFIG' on TCP port 10202; absence of expected greeting after connection may indicate exploitation in progress. ↗
- →The class101 exploit constructs a payload starting with bytes 0x47 0x42 0x52 0x20 ('GBR '), followed by 3208 NOP bytes, with EIP overwrite at offset 2028 and shellcode at offset 2042; detect large GBR packets on port 10203. ↗
- →The CA License service auto-bans after one connection attempt; a single oversized GETCONFIG packet followed by service unresponsiveness is a strong indicator of exploitation. ↗
- ·The CA License Client exploit (calicclnt_getconfig) requires the attacker's IP to be resolvable from the target; on Windows without UDP port 137 filtering, NetBIOS name resolution handles this automatically on the same network segment. ↗
- ·Due to a software bug in the CA License agent, only one connection is allowed before the service starts ignoring further connections, limiting repeated exploitation attempts. ↗
- ·The GCR request format used by eTrust, BrightStor, and lic98rmt.exe v0.1.0.15 follows a specific field order; detection rules should account for all three product variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve License Service - 'GCR NETWORK' Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-03
CVE-2005-0581 CA BrightStor ARCserve License Service - 'GCR NETWORK' Remote Buffer Overflow (Metasploit)
CA BrightStor ARCserve License Service - 'GCR NETWORK' Remote Buffer Overflow (Metasploit)
---
##
# $Id: license_gcr.rb 10892 2010-11-03 22:09:44Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.
By sending a specially crafted request to the lic98rmtd.exe service, an attacker
could overflow the buffer and execute arbitrary code.
},
'Author' => [ 'MC
Exploit-DB
Computer Associates License Client - GETCONFIG Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-0581 Computer Associates License Client - GETCONFIG Overflow (Metasploit)
Computer Associates License Client - GETCONFIG Overflow (Metasploit)
---
##
# $Id: calicclnt_getconfig.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Computer Associates License Client GETCONFIG Overflow',
'Description' => %q{
This module exploits an vulnerability in the CA License Client
service. This exploit will only work if your IP address can be
resolved from the target system point of view. This can be
accomplished on a local network by running the 'nmbd' service
that comes with Samba. If you are
Exploit-DB
Computer Associates License Server - GETCONFIG Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-0581 Computer Associates License Server - GETCONFIG Overflow (Metasploit)
Computer Associates License Server - GETCONFIG Overflow (Metasploit)
---
##
# $Id: calicserv_getconfig.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Computer Associates License Server GETCONFIG Overflow',
'Description' => %q{
This module exploits an vulnerability in the CA License Server
network service. By sending an excessively long GETCONFIG
packet the stack may be overwritten.
},
'Author' =>
[
'Thor Doomen ', # original msf v2 module
'patrick', # msf v3 port :)
],
'License' => MSF_LICENSE,
'Versio
Exploit-DB
CA License Server - 'GETCONFIG' Remote Buffer Overflow
exploitdb·2005-03-06
CVE-2005-0582 CA License Server - 'GETCONFIG' Remote Buffer Overflow
CA License Server - 'GETCONFIG' Remote Buffer Overflow
---
/*
Computer-Associates, License Service Stack Overflow
Homepage: ca.com
Affected version: v1.61 and below (in eTrust, Unicenter, BrightStor, etc..)
Patched version: hotfix
Link: ca.com
Date: 04 March 2005
Application Risk: Tsunami
Internet Risk: High
Dicovery Credits: Barnaby Jack (eeye.com)
Exploit Credits : class101
Hole History:
02-3-2005: BOF flaws published by Barnaby Jack of eeye.com
04-3-2005: metasploit module released
06-2-2005: hat-squad exploit released using again another way than msf,
a nasty way auto-bypassing XP/2003 stack's protections :)
Notes:
-2 bad chars, 0x00, 0x20
-This is possible to trigger at least several big flaws per affected commands,
case1: you own eip, ebx 4 bytes up to it is usable
case2: yo
Metasploit
Computer Associates License Client GETCONFIG Overflow
metasploit
Computer Associates License Client GETCONFIG Overflow
Computer Associates License Client GETCONFIG Overflow
This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.
Metasploit
CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
metasploit
CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0. By sending a specially crafted request to the lic98rmtd.exe service, an attacker could overflow the buffer and execute arbitrary code.
Metasploit
Computer Associates License Server GETCONFIG Overflow
metasploit
Computer Associates License Server GETCONFIG Overflow
Computer Associates License Server GETCONFIG Overflow
This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110979326828704&w=2http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asphttp://www.idefense.com/application/poi/display?id=210&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=213&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=214&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=215&type=vulnerabilitieshttp://marc.info/?l=bugtraq&m=110979326828704&w=2http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asphttp://www.idefense.com/application/poi/display?id=210&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=213&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=214&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=215&type=vulnerabilities
2005-05-02
Published