CVE-2006-5143
published 2006-10-10CVE-2006-5143: Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor…
PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.38%
99.5th percentile
Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup | <= 11.5 | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
| broadcom | business_protection_suite | — | — |
| broadcom | server_protection_suite | — | — |
| ca | brightstor_arcserve_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect DCE/RPC bind requests to UUID dc246bf0-7a7a-11ce-9f88-00805fe43838 v1.0 on TCP/6503 targeting the CA BrightStor Message Engine (msgeng.exe) ↗
- →Alert on DCE/RPC calls to opcode 0x2b (43) or 0x2d (45) on TCP/6503 with oversized stub data (>=680 bytes of NOP-like padding) targeting msgeng.exe / ASCORE.dll ↗
- →Alert on DCE/RPC calls to opcode 0x01, 0x02, or 0x18 on TCP/6071 to the Backup Agent RPC Server (DBASVR.exe) with crafted/oversized data ↗
- →Alert on excessively long hostname strings sent to TCP/41523 targeting the CA BrightStor Discovery Service (casdscsvc.exe / ASBRDCST.DLL) ↗
- →Monitor for outbound connections or listening services on TCP/4444 following exploitation of msgeng.exe or Mediasvr.exe, indicating successful bind-shell payload execution ↗
- →Detect portmap (TCP/111) queries for the CA Mediasvr.exe RPC service (program 0x00060097e / 0x6097e) as a precursor to exploitation ↗
- ·The Metasploit module targets Windows 2000 SP4 English only, using hardcoded RET (0x7c2f6cc8) and UEF (0x7c54144c) addresses; detection/blocking based on these addresses is OS-version specific ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-5143 CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)
CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)
---
##
# $Id: message_engine_heap.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve Message Engine Heap Overflow',
'Description' => %q{
This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup
11.5. By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
exploitdb·2007-03-16
CVE-2006-5143 CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow
---
#!/usr/bin/python
# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
# tested on windows 2000 SP4 in a VMware environment.
# Opens a shell on TCP port 4444.
#
# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
# provides an interesting case. Unlike a traditional stack overflow where the
# user supplies the overflow data which immediately is copied into a stack
# based buffer, here the user supplied data is stored in the heap and the first
# DW
Exploit-DB
Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (1)
exploitdb·2006-10-05
CVE-2006-5143 Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (1)
Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (1)
---
// source: https://www.securityfocus.com/bid/20365/info
Multiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.
/*
* LSsec.com
*
* CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit
*
*
*/
#include
#include
#include
#include
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define _DCE_RPC_REQ 0x00
#define _DCE_RPC_BIND 0x0B
#define PKT
Exploit-DB
Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (2)
exploitdb·2006-10-05
CVE-2006-5143 Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (2)
Computer Associates Products Message Engine RPC Server - Multiple Buffer Overflow Vulnerabilities (2)
---
source: https://www.securityfocus.com/bid/20365/info
Multiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
# (Previously Unknown)
#
# There seems to be an design error in the handling of RPC data with xdr procedures
# across several .dll's imported by Mediasvr.exe. Fou
Metasploit
CA BrightStor ARCserve Message Engine Heap Overflow
metasploit
CA BrightStor ARCserve Message Engine Heap Overflow
CA BrightStor ARCserve Message Engine Heap Overflow
This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/22285http://securitytracker.com/id?1017003http://securitytracker.com/id?1017004http://securitytracker.com/id?1017005http://securitytracker.com/id?1017006http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asphttp://www.kb.cert.org/vuls/id/361792http://www.kb.cert.org/vuls/id/860048http://www.lssec.com/advisories/LS-20060220.pdfhttp://www.lssec.com/advisories/LS-20060313.pdfhttp://www.lssec.com/advisories/LS-20060330.pdfhttp://www.securityfocus.com/archive/1/447839/100/100/threadedhttp://www.securityfocus.com/archive/1/447847/100/200/threadedhttp://www.securityfocus.com/archive/1/447848/100/100/threadedhttp://www.securityfocus.com/archive/1/447862/100/100/threadedhttp://www.securityfocus.com/archive/1/447926/100/200/threadedhttp://www.securityfocus.com/archive/1/447927/100/200/threadedhttp://www.securityfocus.com/archive/1/447930/100/200/threadedhttp://www.securityfocus.com/bid/20365http://www.tippingpoint.com/security/advisories/TSRT-06-11.htmlhttp://www.vupen.com/english/advisories/2006/3930http://www.zerodayinitiative.com/advisories/ZDI-06-030.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-06-031.htmlhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&id=90744http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&id=90744http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693https://exchange.xforce.ibmcloud.com/vulnerabilities/29364http://secunia.com/advisories/22285http://securitytracker.com/id?1017003http://securitytracker.com/id?1017004http://securitytracker.com/id?1017005http://securitytracker.com/id?1017006http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asphttp://www.kb.cert.org/vuls/id/361792http://www.kb.cert.org/vuls/id/860048http://www.lssec.com/advisories/LS-20060220.pdfhttp://www.lssec.com/advisories/LS-20060313.pdfhttp://www.lssec.com/advisories/LS-20060330.pdfhttp://www.securityfocus.com/archive/1/447839/100/100/threadedhttp://www.securityfocus.com/archive/1/447847/100/200/threadedhttp://www.securityfocus.com/archive/1/447848/100/100/threadedhttp://www.securityfocus.com/archive/1/447862/100/100/threadedhttp://www.securityfocus.com/archive/1/447926/100/200/threadedhttp://www.securityfocus.com/archive/1/447927/100/200/threadedhttp://www.securityfocus.com/archive/1/447930/100/200/threadedhttp://www.securityfocus.com/bid/20365http://www.tippingpoint.com/security/advisories/TSRT-06-11.htmlhttp://www.vupen.com/english/advisories/2006/3930http://www.zerodayinitiative.com/advisories/ZDI-06-030.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-06-031.htmlhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&id=90744http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&id=90744http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693https://exchange.xforce.ibmcloud.com/vulnerabilities/29364
2006-10-10
Published