CVE-2005-2668
published 2005-08-23CVE-2005-2668: Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.24%
99.5th percentile
Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | advantage_data_transport | — | — |
| broadcom | adviseit | — | — |
| broadcom | brightstor_portal | — | — |
| broadcom | brightstor_san_manager | — | — |
| broadcom | brightstor_san_manager | — | — |
| broadcom | cleverpath_aion | — | — |
| broadcom | cleverpath_ecm | — | — |
| broadcom | cleverpath_olap | — | — |
| broadcom | cleverpath_predictive_analysis_server | — | — |
| broadcom | cleverpath_predictive_analysis_server | — | — |
| broadcom | etrust_admin | — | — |
| broadcom | etrust_admin | — | — |
| broadcom | messaging | — | — |
| broadcom | messaging | — | — |
| broadcom | messaging | — | — |
| broadcom | unicenter_application_performance_monitor | — | — |
| broadcom | unicenter_application_performance_monitor | — | — |
| broadcom | unicenter_asset_management | — | — |
| broadcom | unicenter_asset_management | — | — |
| broadcom | unicenter_asset_management | — | — |
| broadcom | unicenter_data_transport_option | — | — |
| broadcom | unicenter_jasmine | — | — |
| broadcom | unicenter_management_portal | — | — |
| broadcom | unicenter_management_portal | — | — |
| broadcom | unicenter_network_and_systems_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfa\xf9\x00\x10 (4-byte exploit packet header)
bytes↗
ACK\x00 (CAM service handshake response)
- →Detect exploit attempts by matching the 4-byte magic header \xfa\xf9\x00\x10 at the start of a TCP payload sent to the CA CAM service port, followed by a large (~4096 byte) buffer. ↗
- →The exploit sends a 4096-byte buffer with EIP overwrite at offset 1016 and ESI overwrite at offset 1052; network payloads of this size to the CAM service are highly suspicious. ↗
- →Probe/check traffic can be identified by a TCP connection to the CAM service that receives 'ACK\x00' and immediately disconnects — indicative of a pre-exploit fingerprint check. ↗
- →The vulnerability is triggered via the log_security() function in the CA CAM service (part of TNG Unicenter); monitor for abnormal process behavior or crashes in the CAM service process on Windows hosts running Unicenter. ↗
- ·The Metasploit module targets only Windows x86 platforms; the return addresses are specific to ws2help.dll and W2API.DLL on particular Windows SP levels — detection signatures based on return addresses must account for all listed variants. ↗
- ·The null byte (\x00) is the only listed bad character for the payload; custom shellcode avoiding only null bytes will evade simple character-based filters. ↗
- ·Affected versions are CAM/CAFT 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13; detections should be scoped to hosts running these specific versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA CAM (Windows x86) - 'log_security()' Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-2668 CA CAM (Windows x86) - 'log_security()' Remote Stack Buffer Overflow (Metasploit)
CA CAM (Windows x86) - 'log_security()' Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: cam_log_security.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA CAM log_security() Stack Buffer Overflow (Win32)',
'Description' => %q{
This module exploits a vulnerability in the CA CAM service
by passing a long parameter to the log_security() function.
The CAM service is part of TNG Unicenter. This module has
been tested on Unicenter v3.1.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' =>
Metasploit
CA CAM log_security() Stack Buffer Overflow (Win32)
metasploit
CA CAM log_security() Stack Buffer Overflow (Win32)
CA CAM log_security() Stack Buffer Overflow (Win32)
This module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This module has been tested on Unicenter v3.1.
No writeups or analysis indexed.
http://secunia.com/advisories/16513http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asphttp://www.kb.cert.org/vuls/id/619988http://www.osvdb.org/18916http://www.securityfocus.com/bid/14622http://www.vupen.com/english/advisories/2005/1482http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32919http://secunia.com/advisories/16513http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asphttp://www.kb.cert.org/vuls/id/619988http://www.osvdb.org/18916http://www.securityfocus.com/bid/14622http://www.vupen.com/english/advisories/2005/1482http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32919
2005-08-23
Published