CVE-2006-6076
published 2006-11-24CVE-2006-6076: Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.22%
99.3th percentile
Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to execute arbitrary code via certain RPC requests to TCP port 6502.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup | <= 11.5 | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x04\x08\x0c\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x10\x09\xf9\x77
- →Detect exploit attempts by monitoring for DCERPC bind requests to UUID 62b93df0-8b02-11ce-876c-00805f842837 on TCP port 6502, which is the Tape Engine RPC interface targeted by this CVE. ↗
- →The exploit first sends a crafted DCERPC opnum 43 probe request (20-byte body starting with \x00\x04\x08\x0c\x02) before the overflow; detecting this sequence on TCP/6502 can serve as an early-stage indicator. ↗
- →The filler pattern \x10\x09\xf9\x77 prepended to the overflow buffer is a distinctive byte sequence that can be used in a network signature for this specific exploit. ↗
- →Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e; any shellcode delivered over TCP/6502 to tapeeng.exe will not contain these bytes, which can help tune detection rules. ↗
- ·The overflow payload uses rand_text_english for filler, meaning the bulk of the buffer content is randomised per attempt; byte-pattern signatures must focus on the fixed prefix (\x10\x09\xf9\x77) and the DCERPC UUID rather than the full payload body. ↗
- ·A separate Metasploit module (tape_engine_0x8a.rb) also exploits the same product/version range via a different DCERPC opnum (0x8A); detections scoped only to opnum 38/43 may miss that variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f4wf-c423-fr3w: Buffer overflow in the Tape Engine (tapeeng
ghsa_unreviewed·2022-05-01
CVE-2006-6076 [HIGH] GHSA-f4wf-c423-fr3w: Buffer overflow in the Tape Engine (tapeeng
Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to execute arbitrary code via certain RPC requests to TCP port 6502.
GHSA
GHSA-cxjj-8j73-4q7p: The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-1447 [CRITICAL] GHSA-cxjj-8j73-4q7p: The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11
The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC procedure arguments, which result in memory corruption, a different vulnerability than CVE-2006-6076.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve - Tape Engine Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-6076 CA BrightStor ARCserve - Tape Engine Buffer Overflow (Metasploit)
CA BrightStor ARCserve - Tape Engine Buffer Overflow (Metasploit)
---
##
# $Id: tape_engine.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve Tape Engine Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC', 'patrick' ],
'License' => MSF_LICENSE,
'Version'
Metasploit
CA BrightStor ARCserve Tape Engine Buffer Overflow
metasploit
CA BrightStor ARCserve Tape Engine Buffer Overflow
CA BrightStor ARCserve Tape Engine Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.
Metasploit
CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow
metasploit
CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow
CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050808.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050814.htmlhttp://secunia.com/advisories/23060http://secunia.com/advisories/24512http://securitytracker.com/id?1017268http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asphttp://www.kb.cert.org/vuls/id/437300http://www.securityfocus.com/archive/1/452222/100/0/threadedhttp://www.securityfocus.com/archive/1/452318/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www.securityfocus.com/bid/21221http://www.vupen.com/english/advisories/2006/4654http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817https://exchange.xforce.ibmcloud.com/vulnerabilities/30453http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050808.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050814.htmlhttp://secunia.com/advisories/23060http://secunia.com/advisories/24512http://securitytracker.com/id?1017268http://supportconnectw.ca.com/public/storage/infodocs/babtapeng-securitynotice.asphttp://www.kb.cert.org/vuls/id/437300http://www.securityfocus.com/archive/1/452222/100/0/threadedhttp://www.securityfocus.com/archive/1/452318/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www.securityfocus.com/bid/21221http://www.vupen.com/english/advisories/2006/4654http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34817https://exchange.xforce.ibmcloud.com/vulnerabilities/30453
2006-11-24
Published