cbcvebase.
CVE-2005-1018
published 2005-05-02

CVE-2005-1018: Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.98%
99.0th percentile
Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or execute arbitrary code via an agent request to TCP port 6050 with a large argument before the option field.

Affected

1 ranges
VendorProductVersion rangeFixed in
cabrightstor_arcserve_backup

Detection & IOCsextracted from sources · hover to see the quote

port6050/TCP
commands 0 Lfffffff 0x44 0x5c 0x61 0x01
bytes
\x00\x00\x00\x00\x03\x20\xa8\x02
  • Monitor TCP port 6050 for inbound connections to the CA BrightStor UniversalAgent service; exploit traffic begins with the 8-byte protocol header \x00\x00\x00\x00\x03\x20\xa8\x02 followed by a ~1024-byte oversized payload.
  • Detect repeated rapid TCP connections (up to 200 in quick succession) to port 6050 from a single source; the exploit loops 1–200 times sending the same malformed request to grow the heap.
  • Flag oversized agent requests on TCP/6050 where the payload length is ≥1024 bytes; the exploit constructs a 1024-byte overflow string ('X' * 1024) prepended with the protocol header.
  • Look for the magic value 0x000003E8 (1000 decimal, packed as little-endian 'V') at byte offset 248 within the TCP/6050 payload, which is required to trigger the fault.
  • The exploit targets the ntagent process (UniversalAgent); alert on unexpected crashes or repeated restarts of ntagent.exe, which indicate heap-spray exploitation attempts.
  • ·The heap-spray return address (0x01625c44) is specific to Windows XP SP1; on other OS versions the heap layout will differ and the hardcoded Ret value will not apply.
  • ·If the default return address does not match the target environment, an attacker must search memory for the pattern and replace the address before re-running the exploit, meaning the byte signature of the payload may vary.
  • ·The payload space is constrained to 164 bytes with no null bytes allowed; shellcode used in the wild must respect these constraints, so null-byte-containing signatures will not match.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.