cbcvebase.
CVE-2005-2668
published 2005-08-23

CVE-2005-2668: Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.24%
99.5th percentile
Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors.

Affected

53 ranges· showing 25
VendorProductVersion rangeFixed in
broadcomadvantage_data_transport
broadcomadviseit
broadcombrightstor_portal
broadcombrightstor_san_manager
broadcombrightstor_san_manager
broadcomcleverpath_aion
broadcomcleverpath_ecm
broadcomcleverpath_olap
broadcomcleverpath_predictive_analysis_server
broadcomcleverpath_predictive_analysis_server
broadcometrust_admin
broadcometrust_admin
broadcommessaging
broadcommessaging
broadcommessaging
broadcomunicenter_application_performance_monitor
broadcomunicenter_application_performance_monitor
broadcomunicenter_asset_management
broadcomunicenter_asset_management
broadcomunicenter_asset_management
broadcomunicenter_data_transport_option
broadcomunicenter_jasmine
broadcomunicenter_management_portal
broadcomunicenter_management_portal
broadcomunicenter_network_and_systems_management

Detection & IOCsextracted from sources · hover to see the quote

portCAM service port (ACK handshake observed)
bytes
\xfa\xf9\x00\x10 (4-byte exploit packet header)
bytes
ACK\x00 (CAM service handshake response)
  • Detect exploit attempts by matching the 4-byte magic header \xfa\xf9\x00\x10 at the start of a TCP payload sent to the CA CAM service port, followed by a large (~4096 byte) buffer.
  • The exploit sends a 4096-byte buffer with EIP overwrite at offset 1016 and ESI overwrite at offset 1052; network payloads of this size to the CAM service are highly suspicious.
  • Probe/check traffic can be identified by a TCP connection to the CAM service that receives 'ACK\x00' and immediately disconnects — indicative of a pre-exploit fingerprint check.
  • The vulnerability is triggered via the log_security() function in the CA CAM service (part of TNG Unicenter); monitor for abnormal process behavior or crashes in the CAM service process on Windows hosts running Unicenter.
  • ·The Metasploit module targets only Windows x86 platforms; the return addresses are specific to ws2help.dll and W2API.DLL on particular Windows SP levels — detection signatures based on return addresses must account for all listed variants.
  • ·The null byte (\x00) is the only listed bad character for the payload; custom shellcode avoiding only null bytes will evade simple character-based filters.
  • ·Affected versions are CAM/CAFT 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13; detections should be scoped to hosts running these specific versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.