CVE-2006-6917
published 2006-12-31CVE-2006-6917: Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup R11.5 Server before SP2 allows remote attackers to execute arbitrary code in…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
29.35%
97.9th percentile
Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup R11.5 Server before SP2 allows remote attackers to execute arbitrary code in the Tape Engine (tapeeng.exe) via a crafted RPC request with (1) opnum 38, which is not properly handled in TAPEUTIL.dll 11.5.3884.0, or (2) opnum 37, which is not properly handled in TAPEENG.dll 11.5.3884.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\x90\x90\xeb\x08
bytes↗
\xd2\x7b\x57\x7c
- →Detect exploit attempts by monitoring for RPC calls to the tapeeng.exe service UUID 62b93df0-8b02-11ce-876c-00805f842837 v1.0 on TCP port 6502 using opnum 37, 38, or 43 with anomalously large request payloads (e.g., >1000 bytes). ↗
- →Alert on new inbound TCP connections to port 4443 on hosts running CA BrightStor ARCserve Backup, as the exploit shellcode binds a shell to that port. ↗
- →Look for the NOP sled + short-jump byte pattern (\x90\x90\x90\x90\xeb\x08) followed by the kernel32.dll call-ebx gadget (\xd2\x7b\x57\x7c) within RPC request payloads on port 6502. ↗
- →The exploit first sends a benign opnum 43 'EnableDetailLogging' RPC call before the actual overflow; detecting this precursor call from an unexpected source may indicate pre-exploitation reconnaissance. ↗
- ·The exploit was tested specifically on Windows 2000 SP4; the kernel32.dll call-ebx gadget address (\xd2\x7b\x57\x7c) is hardcoded for that platform and may not apply to other OS versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-secnotice.asphttp://www.lssec.com/advisories/LS-20060908.pdfhttp://www.lssec.com/advisories/LS-20061001.pdfhttp://www.securityfocus.com/archive/1/453930/30/390/threadedhttp://www.securityfocus.com/archive/1/453933/30/420/threadedhttp://www.securityfocus.com/archive/1/454088/30/0/threadedhttp://www.securityfocus.com/archive/1/454094/30/360/threadedhttp://www.securityfocus.com/archive/1/456428/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97428http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34959https://www.exploit-db.com/exploits/3086http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-secnotice.asphttp://www.lssec.com/advisories/LS-20060908.pdfhttp://www.lssec.com/advisories/LS-20061001.pdfhttp://www.securityfocus.com/archive/1/453930/30/390/threadedhttp://www.securityfocus.com/archive/1/453933/30/420/threadedhttp://www.securityfocus.com/archive/1/454088/30/0/threadedhttp://www.securityfocus.com/archive/1/454094/30/360/threadedhttp://www.securityfocus.com/archive/1/456428/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97428http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34959https://www.exploit-db.com/exploits/3086
2006-12-31
Published