CVE-2007-0169
published 2007-01-11CVE-2007-0169: Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.81%
99.3th percentile
Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup | <= 11.5 | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
| broadcom | business_protection_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts targeting the CA BrightStor ARCserve Message Engine RPC service on TCP port 6503 using RPC UUID dc246bf0-7a7a-11ce-9f88-00805fe43838 with calls to opnum 0x2F (47) or 0x75, or the Tape Engine service opnum 0xCF, with oversized/crafted data payloads. ↗
- →Flag RPC bind requests to UUID dc246bf0-7a7a-11ce-9f88-00805fe43838 v1.0 over ncacn_ip_tcp (TCP port 6503) followed by large NDR string payloads in dcerpc_call opnum 47 (0x2F). ↗
- →Payload bad characters for this exploit are: \x00\x0a\x0d\x5c\x5f\x2f\x2e — shellcode in exploit traffic will avoid these bytes; use this to tune byte-pattern detection. ↗
- →Return addresses used in known exploit targets against cheyprod.dll: 0x23805d10 (r11.1), 0x2380ceb5 (r11.5), 0x2380a47d (r11.5 SP2) — presence of these values in RPC traffic is a strong exploit indicator. ↗
- ·The Metasploit module targets BrightStor ARCserve Backup versions 11.1 through 11.5 SP2 only; the CVE also covers versions 9.01–11.0, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2, which may use different RPC endpoints or return addresses not covered by this module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve - Message Engine Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-0169 CA BrightStor ARCserve - Message Engine Buffer Overflow (Metasploit)
CA BrightStor ARCserve - Message Engine Buffer Overflow (Metasploit)
---
##
# $Id: message_engine.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve Message Engine Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup
11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC', 'patrick' ],
'License' => MSF_LICENSE,
'Version
Metasploit
CA BrightStor ARCserve Message Engine Buffer Overflow
metasploit
CA BrightStor ARCserve Message Engine Buffer Overflow
CA BrightStor ARCserve Message Engine Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=467http://osvdb.org/31327http://secunia.com/advisories/23648http://securitytracker.com/id?1017506http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asphttp://www.kb.cert.org/vuls/id/151032http://www.kb.cert.org/vuls/id/180336http://www.securityfocus.com/archive/1/456618/100/0/threadedhttp://www.securityfocus.com/archive/1/456619/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www.securityfocus.com/bid/22005http://www.securityfocus.com/bid/22006http://www.vupen.com/english/advisories/2007/0154http://www.zerodayinitiative.com/advisories/ZDI-07-003.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-004.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/31433https://exchange.xforce.ibmcloud.com/vulnerabilities/31443http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=467http://osvdb.org/31327http://secunia.com/advisories/23648http://securitytracker.com/id?1017506http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asphttp://www.kb.cert.org/vuls/id/151032http://www.kb.cert.org/vuls/id/180336http://www.securityfocus.com/archive/1/456618/100/0/threadedhttp://www.securityfocus.com/archive/1/456619/100/0/threadedhttp://www.securityfocus.com/archive/1/456711http://www.securityfocus.com/bid/22005http://www.securityfocus.com/bid/22006http://www.vupen.com/english/advisories/2007/0154http://www.zerodayinitiative.com/advisories/ZDI-07-003.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-004.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/31433https://exchange.xforce.ibmcloud.com/vulnerabilities/31443
2007-01-11
Published