cbcvebase.
CVE-2006-6917
published 2006-12-31

CVE-2006-6917: Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup R11.5 Server before SP2 allows remote attackers to execute arbitrary code in…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
29.35%
97.9th percentile
Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup R11.5 Server before SP2 allows remote attackers to execute arbitrary code in the Tape Engine (tapeeng.exe) via a crafted RPC request with (1) opnum 38, which is not properly handled in TAPEUTIL.dll 11.5.3884.0, or (2) opnum 37, which is not properly handled in TAPEENG.dll 11.5.3884.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup_server

Detection & IOCsextracted from sources · hover to see the quote

port6502
port4443
other62b93df0-8b02-11ce-876c-00805f842837 v1.0
processtapeeng.exe
filenameTAPEUTIL.dll
filenameTAPEENG.dll
commandRPC opnum 38
commandRPC opnum 37
commandRPC opnum 43 (EnableDetailLogging)
bytes
\x90\x90\x90\x90\xeb\x08
bytes
\xd2\x7b\x57\x7c
  • Detect exploit attempts by monitoring for RPC calls to the tapeeng.exe service UUID 62b93df0-8b02-11ce-876c-00805f842837 v1.0 on TCP port 6502 using opnum 37, 38, or 43 with anomalously large request payloads (e.g., >1000 bytes).
  • Alert on new inbound TCP connections to port 4443 on hosts running CA BrightStor ARCserve Backup, as the exploit shellcode binds a shell to that port.
  • Look for the NOP sled + short-jump byte pattern (\x90\x90\x90\x90\xeb\x08) followed by the kernel32.dll call-ebx gadget (\xd2\x7b\x57\x7c) within RPC request payloads on port 6502.
  • The exploit first sends a benign opnum 43 'EnableDetailLogging' RPC call before the actual overflow; detecting this precursor call from an unexpected source may indicate pre-exploitation reconnaissance.
  • ·The exploit was tested specifically on Windows 2000 SP4; the kernel32.dll call-ebx gadget address (\xd2\x7b\x57\x7c) is hardcoded for that platform and may not apply to other OS versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.