CVE-2005-1018
published 2005-05-02CVE-2005-1018: Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.98%
99.0th percentile
Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or execute arbitrary code via an agent request to TCP port 6050 with a large argument before the option field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ca | brightstor_arcserve_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x03\x20\xa8\x02
- →Monitor TCP port 6050 for inbound connections to the CA BrightStor UniversalAgent service; exploit traffic begins with the 8-byte protocol header \x00\x00\x00\x00\x03\x20\xa8\x02 followed by a ~1024-byte oversized payload. ↗
- →Detect repeated rapid TCP connections (up to 200 in quick succession) to port 6050 from a single source; the exploit loops 1–200 times sending the same malformed request to grow the heap. ↗
- →Flag oversized agent requests on TCP/6050 where the payload length is ≥1024 bytes; the exploit constructs a 1024-byte overflow string ('X' * 1024) prepended with the protocol header. ↗
- →Look for the magic value 0x000003E8 (1000 decimal, packed as little-endian 'V') at byte offset 248 within the TCP/6050 payload, which is required to trigger the fault. ↗
- →The exploit targets the ntagent process (UniversalAgent); alert on unexpected crashes or repeated restarts of ntagent.exe, which indicate heap-spray exploitation attempts. ↗
- ·The heap-spray return address (0x01625c44) is specific to Windows XP SP1; on other OS versions the heap layout will differ and the hardcoded Ret value will not apply. ↗
- ·If the default return address does not match the target environment, an attacker must search memory for the pattern and replace the address before re-running the exploit, meaning the byte signature of the payload may vary. ↗
- ·The payload space is constrained to 164 bytes with no null bytes allowed; shellcode used in the wild must respect these constraints, so null-byte-containing signatures will not match. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor Universal Agent - Remote Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2005-1018 CA BrightStor Universal Agent - Remote Overflow (Metasploit)
CA BrightStor Universal Agent - Remote Overflow (Metasploit)
---
##
# $Id: universal_agent.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor Universal Agent Overflow',
'Description' => %q{
This module exploits a convoluted heap overflow in the CA
BrightStor Universal Agent service. Triple userland
exception results in heap growth and execution of
dereferenced function pointer at a specified address.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'Referenc
Metasploit
CA BrightStor Universal Agent Overflow
metasploit
CA BrightStor Universal Agent Overflow
CA BrightStor Universal Agent Overflow
This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111351851802682&w=2http://www.idefense.com/application/poi/display?id=232&type=vulnerabilitieshttp://www.securityfocus.com/archive/1/390760http://www.securityfocus.com/bid/13102http://marc.info/?l=bugtraq&m=111351851802682&w=2http://www.idefense.com/application/poi/display?id=232&type=vulnerabilitieshttp://www.securityfocus.com/archive/1/390760http://www.securityfocus.com/bid/13102
2005-05-02
Published