cbcvebase.
CVE-2007-0449
published 2007-01-23

CVE-2007-0449: Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and…

PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
79.24%
99.6th percentile
Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.

Affected

7 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup_laptops_desktops
broadcombrightstor_arcserve_backup_laptops_desktops
broadcombrightstor_mobile_backup
broadcombusiness_protection_suite
broadcomdesktop_management_suite
broadcomdesktop_management_suite
broadcomdesktop_protection_suite

Detection & IOCsextracted from sources · hover to see the quote

port1900/TCP
port2200/TCP
filenameLGSERVER.EXE
commandpayload = str('0000033000') + "\x90" * 2322
commandfiller = "0000016705" + rand_text_english(2322)
  • Detect exploit attempts against LGSERVER.EXE by monitoring for large crafted TCP connections to port 1900 or 2200 containing an initial 10-byte numeric prefix (e.g. '0000033000' or '0000016705') followed by a long NOP sled (~2322 bytes).
  • Alert on TCP connections to port 1900 or 2200 targeting LGSERVER.EXE where the payload length significantly exceeds normal protocol bounds, indicative of a stack buffer overflow attempt.
  • Monitor for outbound connections to TCP port 4444 from the LGSERVER.EXE process, which is the port bound by the exploit's portbind shellcode.
  • The Metasploit module uses bad character filtering of '\x00\x0a\x0d\x5c\x5f\x2f\x2e' in the payload; network signatures should look for large payloads to port 1900 that avoid these bytes.
  • The SEH-based exploit appends '\x58' * 0x4141 after the SEH overwrite; look for this pattern in TCP streams to port 1900.
  • ·The return address 0x75022ac4 is specific to Windows 2000 Pro English All; exploitability and ROP/SEH gadget addresses will differ on other OS versions.
  • ·The Metasploit module targets CA BrightStor ARCserve Backup for Laptops & Desktops 11.1 specifically; other versions in the affected range (r11.0–r11.1 SP1, Mobile Backup r4.0, DMS r11.0/r11.1) may require different offsets.
  • ·The exploit payload space is limited to 600 bytes and requires a stack adjustment of -3500; payloads exceeding this space or lacking the adjustment will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.