CVE-2007-1070
published 2007-02-21CVE-2007-1070: Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.77%
99.4th percentile
Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | serverprotect | — | — |
| trend_micro | serverprotect | — | — |
| trend_micro | serverprotect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00
bytes↗
\x05\x00\x00\x83\x10\x00\x00\x00\x08\x08\x00\x00\x01\x00\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x04\x00\x03\x00\xD0\x07\x00\x00
- →Detect exploit attempts by monitoring for DCE/RPC bind requests to UUID 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 over ncacn_ip_tcp on port 5168 targeting SpntSvc.exe / TmRpcSrv.dll. ↗
- →Alert on oversized RPC opnum 0 (CMON_NetTestConnection) requests to port 5168 exceeding normal parameter lengths (payload space ~800-1600 bytes of filler). ↗
- →Look for bind-shell activity on TCP port 4444 originating from SpntSvc.exe as a post-exploitation indicator. ↗
- →The exploit targets functions in TmRpcSrv.dll, StCommon.dll, and eng50.dll; monitor for unexpected crashes or code execution originating from these modules within SpntSvc.exe. ↗
- →The Metasploit module prepends a stack-pivot stub (\x81\xc4\xff\xef\xff\xff\x44) before the payload encoder; this byte sequence in RPC traffic to port 5168 is a strong exploit indicator. ↗
- ·The Metasploit return address (0x6563124c) is specific to StCommon.dll as shipped with ServerProtect 5.58 Build 1060; the PoC exploit uses a different address (0x6574131C in TmRpcSrv.dll), so detections based on exact RET values will miss variants. ↗
- ·The PoC shellcode uses a bind-shell on LPORT=4444 (PexFnstenvMov encoded), but real-world attackers will substitute different payloads and ports, so port 4444 alone is not a reliable sole indicator. ↗
- ·Payload bad-char restriction excludes null bytes (\x00); any IDS signature must account for encoded payloads that avoid this character. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wqp-h7vg-p7gg: Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5
ghsa_unreviewed·2022-05-01
CVE-2007-1070 [HIGH] GHSA-5wqp-h7vg-p7gg: Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5
Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.
VulnCheck
Microsoft Windows Out-of-bounds Write
vulncheck·2007·CVSS 10.0
CVE-2007-1070 [CRITICAL] Microsoft Windows Out-of-bounds Write
Microsoft Windows Out-of-bounds Write
Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/Trend+Micro+ServerProtect+Update/3310/
No detection rules found.
Exploit-DB
Trend Micro ServerProtect 5.58 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-1070 Trend Micro ServerProtect 5.58 - Remote Buffer Overflow (Metasploit)
Trend Micro ServerProtect 5.58 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: trendmicro_serverprotect.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Trend Micro ServerProtect 5.58 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.
By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'Re
Exploit-DB
Trend Micro ServerProtect - 'eng50.dll' Remote Stack Overflow
exploitdb·2007-09-06·CVSS 10.0
CVE-2007-1070 [CRITICAL] Trend Micro ServerProtect - 'eng50.dll' Remote Stack Overflow
Trend Micro ServerProtect - 'eng50.dll' Remote Stack Overflow
---
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Trend Micro ServerProtect eng50.dll Stack Overflow
* [CVE-2007-1070]
*
*
* Description:
* A boundary error within a function in eng50.dll can be
* exploited to cause a stack-based buffer overflow via a
* specially crafted RPC request to the SpntSvc.exe service.
*
* Hotfix/Patch:
* http://www.trendmicro.com/download/product.asp?productid=17
*
* Vulnerable systems:
* ServerProtect for Windows 5.58
* ServerProtect for EMC 5.58
* ServerProtect for Network Appliance Filer 5.61
* ServerProtect for Network Appliance Filer 5.62
*
* Tested on:
* Microsoft Windows 2000 SP4
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsibl
Exploit-DB
Eudora 7.1.0.9 - IMAP FLAGS Remote Overwrite (SEH)
exploitdb·2007-05-30
CVE-2007-3166 Eudora 7.1.0.9 - IMAP FLAGS Remote Overwrite (SEH)
Eudora 7.1.0.9 - IMAP FLAGS Remote Overwrite (SEH)
---
#!/usr/bin/python
# Eudora 7.1 (IMAP FLAGS) 0day Remote SEH Overwrite PoC Exploit
# Bug discovered by Krystian Kloskowski (h07)
# Tested on Eudora 7.1.0.9 / 2k SP4 Polish
# Shellcode type: Windows Execute Command (calc.exe)
# Details:..
# Eudora --> SELECT IMBOX ---------> IMAP server
# Eudora <-- FLAGS (\..AAAA...) <---- IMAP server
# FLAGS (\Answered \Flagged \Draft \Deleted \Seen hasatt + "A" * 1070
# 0x41414141 Pointer to next SEH record
# 0x41414141 SE handler
##
from thread import start_new_thread
from struct import pack
from string import find
from time import sleep
from socket import *
session_elements = (
'* OK IMAP4 ready\r\n',
'* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP'
'LUS ID NO_
Metasploit
Trend Micro ServerProtect 5.58 Buffer Overflow
metasploit
Trend Micro ServerProtect 5.58 Buffer Overflow
Trend Micro ServerProtect 5.58 Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290http://osvdb.org/33042http://secunia.com/advisories/24243http://www.kb.cert.org/vuls/id/349393http://www.kb.cert.org/vuls/id/466609http://www.kb.cert.org/vuls/id/630025http://www.kb.cert.org/vuls/id/730433http://www.securityfocus.com/archive/1/460686/100/0/threadedhttp://www.securityfocus.com/archive/1/460690/100/0/threadedhttp://www.securityfocus.com/bid/22639http://www.securitytracker.com/id?1017676http://www.tippingpoint.com/security/advisories/TSRT-07-01.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-07-02.htmlhttp://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch1_readme.txthttp://www.vupen.com/english/advisories/2007/0670https://exchange.xforce.ibmcloud.com/vulnerabilities/32594https://exchange.xforce.ibmcloud.com/vulnerabilities/32601http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290http://osvdb.org/33042http://secunia.com/advisories/24243http://www.kb.cert.org/vuls/id/349393http://www.kb.cert.org/vuls/id/466609http://www.kb.cert.org/vuls/id/630025http://www.kb.cert.org/vuls/id/730433http://www.securityfocus.com/archive/1/460686/100/0/threadedhttp://www.securityfocus.com/archive/1/460690/100/0/threadedhttp://www.securityfocus.com/bid/22639http://www.securitytracker.com/id?1017676http://www.tippingpoint.com/security/advisories/TSRT-07-01.htmlhttp://www.tippingpoint.com/security/advisories/TSRT-07-02.htmlhttp://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch1_readme.txthttp://www.vupen.com/english/advisories/2007/0670https://exchange.xforce.ibmcloud.com/vulnerabilities/32594https://exchange.xforce.ibmcloud.com/vulnerabilities/32601
2007-02-21
Published
Exploited in the wild