cbcvebase.
CVE-2007-0169
published 2007-01-11

CVE-2007-0169: Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.81%
99.3th percentile
Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service.

Affected

4 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup<= 11.5
broadcombrightstor_arcserve_backup
broadcombrightstor_enterprise_backup
broadcombusiness_protection_suite

Detection & IOCsextracted from sources · hover to see the quote

port6503
otherRPC UUID: dc246bf0-7a7a-11ce-9f88-00805fe43838 v1.0
otherRPC opnum 0x2F (47) - Message Engine RPC service
otherRPC opnum 0x2F and 0x75 - Message Engine RPC service; opnum 0xCF - Tape Engine service
  • Detect exploit attempts targeting the CA BrightStor ARCserve Message Engine RPC service on TCP port 6503 using RPC UUID dc246bf0-7a7a-11ce-9f88-00805fe43838 with calls to opnum 0x2F (47) or 0x75, or the Tape Engine service opnum 0xCF, with oversized/crafted data payloads.
  • Flag RPC bind requests to UUID dc246bf0-7a7a-11ce-9f88-00805fe43838 v1.0 over ncacn_ip_tcp (TCP port 6503) followed by large NDR string payloads in dcerpc_call opnum 47 (0x2F).
  • Payload bad characters for this exploit are: \x00\x0a\x0d\x5c\x5f\x2f\x2e — shellcode in exploit traffic will avoid these bytes; use this to tune byte-pattern detection.
  • Return addresses used in known exploit targets against cheyprod.dll: 0x23805d10 (r11.1), 0x2380ceb5 (r11.5), 0x2380a47d (r11.5 SP2) — presence of these values in RPC traffic is a strong exploit indicator.
  • ·The Metasploit module targets BrightStor ARCserve Backup versions 11.1 through 11.5 SP2 only; the CVE also covers versions 9.01–11.0, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2, which may use different RPC endpoints or return addresses not covered by this module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.