CVE-2007-1785
published 2007-03-31CVE-2007-1785: The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t…
PriorityP348high7.1CVSS 2.0
AVNACHAuSCCICAC
EXPLOIT
EPSS
15.35%
96.4th percentile
The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | business_protection_suite | — | — |
| broadcom | server_protection_suite | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | business_protection_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x09\x7e\x00\x00\x00\x01
bytes↗
\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03
- →Alert on outbound connections from mediasvr.exe or unexpected child processes (e.g., cmd.exe) spawned by mediasvr.exe, which may indicate successful exploitation and shellcode execution. ↗
- →Detect inbound TCP connections to port 4444 on hosts running CA BrightStor ARCserve Backup, as the exploit payload binds a shell on that port. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4jcc-qmqj-6p2x: Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightS
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-2139 [CRITICAL] GHSA-4jcc-qmqj-6p2x: Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightS
Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings, a different vulnerability than CVE-2006-5171, CVE-2006-5172, and CVE-2007-1785.
GHSA
GHSA-rhr3-8qxq-x4qm: The RPC service in mediasvr
ghsa_unreviewed·2022-05-01
CVE-2007-1785 [HIGH] GHSA-rhr3-8qxq-x4qm: The RPC service in mediasvr
The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request.
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0467.htmlhttp://secunia.com/advisories/24682http://securityreason.com/securityalert/2509http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asphttp://www.kb.cert.org/vuls/id/151305http://www.securityfocus.com/archive/1/464270/100/0/threadedhttp://www.securityfocus.com/archive/1/464343/100/0/threadedhttp://www.securityfocus.com/bid/23209http://www.securitytracker.com/id?1017830http://www.shirkdog.us/camediasvrremote.pyhttp://www.shirkdog.us/shk-004.htmlhttp://www.vupen.com/english/advisories/2007/1161https://exchange.xforce.ibmcloud.com/vulnerabilities/33316http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0467.htmlhttp://secunia.com/advisories/24682http://securityreason.com/securityalert/2509http://supportconnectw.ca.com/public/storage/infodocs/babmedser-secnotice.asphttp://www.kb.cert.org/vuls/id/151305http://www.securityfocus.com/archive/1/464270/100/0/threadedhttp://www.securityfocus.com/archive/1/464343/100/0/threadedhttp://www.securityfocus.com/bid/23209http://www.securitytracker.com/id?1017830http://www.shirkdog.us/camediasvrremote.pyhttp://www.shirkdog.us/shk-004.htmlhttp://www.vupen.com/english/advisories/2007/1161https://exchange.xforce.ibmcloud.com/vulnerabilities/33316
2007-03-31
Published