cbcvebase.
CVE-2007-2139
published 2007-04-25

CVE-2007-2139: Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.00%
99.5th percentile
Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings, a different vulnerability than CVE-2006-5171, CVE-2006-5172, and CVE-2007-1785.

Affected

7 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombusiness_protection_suite
broadcomserver_protection_suite
cabrightstor_arcserve_backup
cabusiness_protection_suite

Detection & IOCsextracted from sources · hover to see the quote

porttcp/0x6097e (395646)
commandsunrpc_call(0xf5, request)
commandXDR.encode(1, 1, 2, 2, 2, data, 3, 3)
commanddata = "_" + data + "_1_1_1_1_1_1_1_1_1"
otherRET address 0x1002b715 (mediasrv RPC service module)
otherRET address 0x1002b715 (mediasrv RPC service module, Windows 2003 offset 0x300)
bytes
eb 06 (short jmp +6) at offset Off+0x73c
bytes
e9 b7 f8 ff ff (long jmp -0x749) at offset Off+0x744
  • Detect exploit attempts by monitoring for oversized/malformed SUNRPC requests to RPC program number 0x6097e (395646) over TCP targeting the CA BrightStor MediaSrv service.
  • Exploit payload is framed with a leading underscore and trailing '_1_1_1_1_1_1_1_1_1' — look for this distinctive pattern in RPC request payloads.
  • The exploit calls RPC procedure number 0xf5 (245) on the MediaSrv service; alert on calls to this procedure number from untrusted sources.
  • Payload bad characters include null bytes and common HTTP/shell metacharacters; the exploit uses alphanumeric padding of 0xA64 or 0x600 bytes — large RPC strings of this size to MediaSrv are anomalous.
  • NX-bypass variant prepends shellcode with a PEB walk and NtSetInformationProcess syscall stub (EAX=0xed); detect this byte sequence in network payloads: 64 8b 0d 30 00 00 00 83 b9 a4 00 00 00 05.
  • Monitor the MediaSrv (mediasrv.exe) process for unexpected child processes or shellcode execution, particularly on Windows 2000/2003 systems running CA BrightStor ARCserve 9.01–11.5 SP2.
  • ·The Metasploit exploit targets specific return addresses (0x1002b715) valid only for BrightStor ARCserve 9.0–11.5 SP2 on Windows 2000 (offset 0x304) and Windows 2003 (offset 0x300); the NX-support target uses a placeholder ret (0x41414141) indicating ROP chain dependency on specific DLL versions.
  • ·The NX-bypass ROP chain uses hardcoded addresses from a specific version of a MediaSrv DLL (base 0x6d500000); these gadget addresses will differ across patch levels and DLL versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.