cbcvebase.
CVE-2007-1070
published 2007-02-21

CVE-2007-1070: Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.77%
99.4th percentile
Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microserverprotect
trend_microserverprotect
trend_microserverprotect

Detection & IOCsextracted from sources · hover to see the quote

port5168
port4444
otherDCE/RPC UUID 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0
otherRET 0x6563124c (CALL EBX - StCommon.dll)
otherRET 0x6574131C (call ebx - TmRpcSrv.dll)
commandCMON_NetTestConnection opnum=0 NDR long 0x000a0017
bytes
\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00
bytes
\x05\x00\x00\x83\x10\x00\x00\x00\x08\x08\x00\x00\x01\x00\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x04\x00\x03\x00\xD0\x07\x00\x00
  • Detect exploit attempts by monitoring for DCE/RPC bind requests to UUID 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 over ncacn_ip_tcp on port 5168 targeting SpntSvc.exe / TmRpcSrv.dll.
  • Alert on oversized RPC opnum 0 (CMON_NetTestConnection) requests to port 5168 exceeding normal parameter lengths (payload space ~800-1600 bytes of filler).
  • Look for bind-shell activity on TCP port 4444 originating from SpntSvc.exe as a post-exploitation indicator.
  • The exploit targets functions in TmRpcSrv.dll, StCommon.dll, and eng50.dll; monitor for unexpected crashes or code execution originating from these modules within SpntSvc.exe.
  • The Metasploit module prepends a stack-pivot stub (\x81\xc4\xff\xef\xff\xff\x44) before the payload encoder; this byte sequence in RPC traffic to port 5168 is a strong exploit indicator.
  • ·The Metasploit return address (0x6563124c) is specific to StCommon.dll as shipped with ServerProtect 5.58 Build 1060; the PoC exploit uses a different address (0x6574131C in TmRpcSrv.dll), so detections based on exact RET values will miss variants.
  • ·The PoC shellcode uses a bind-shell on LPORT=4444 (PexFnstenvMov encoded), but real-world attackers will substitute different payloads and ports, so port 4444 alone is not a reliable sole indicator.
  • ·Payload bad-char restriction excludes null bytes (\x00); any IDS signature must account for encoded payloads that avoid this character.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.