cbcvebase.
CVE-2006-6076
published 2006-11-24

CVE-2006-6076: Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.22%
99.3th percentile
Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to execute arbitrary code via certain RPC requests to TCP port 6502.

Affected

7 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup<= 11.5
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup
cabrightstor_arcserve_backup_agent
cabrightstor_arcserve_backup_agent

Detection & IOCsextracted from sources · hover to see the quote

port6502/tcp
processtapeeng.exe
otherDCERPC UUID: 62b93df0-8b02-11ce-876c-00805f842837 v1.0
commanddcerpc.call(43, request)
commanddcerpc_call(38, sploit)
bytes
\x00\x04\x08\x0c\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\x10\x09\xf9\x77
  • Detect exploit attempts by monitoring for DCERPC bind requests to UUID 62b93df0-8b02-11ce-876c-00805f842837 on TCP port 6502, which is the Tape Engine RPC interface targeted by this CVE.
  • The exploit first sends a crafted DCERPC opnum 43 probe request (20-byte body starting with \x00\x04\x08\x0c\x02) before the overflow; detecting this sequence on TCP/6502 can serve as an early-stage indicator.
  • The filler pattern \x10\x09\xf9\x77 prepended to the overflow buffer is a distinctive byte sequence that can be used in a network signature for this specific exploit.
  • Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e; any shellcode delivered over TCP/6502 to tapeeng.exe will not contain these bytes, which can help tune detection rules.
  • ·The overflow payload uses rand_text_english for filler, meaning the bulk of the buffer content is randomised per attempt; byte-pattern signatures must focus on the fixed prefix (\x10\x09\xf9\x77) and the DCERPC UUID rather than the full payload body.
  • ·A separate Metasploit module (tape_engine_0x8a.rb) also exploits the same product/version range via a different DCERPC opnum (0x8A); detections scoped only to opnum 38/43 may miss that variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.