CVE-2007-2508
published 2007-05-08CVE-2007-2508: Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.19%
99.5th percentile
Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | serverprotect | <= 5.58 | — |
| trend_micro | serverprotect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for DCERPC bind requests to UUID 25288888-bd5b-11d1-9d53-0080c83a5c2c over ncacn_ip_tcp on TCP ports 5168 and 3628. ↗
- →Flag inbound TCP connections to port 3628 (EarthAgent.exe) or port 5168 (SpntSvc.exe) from untrusted external hosts; both are reachable via TmRpcSrv.dll and should not be exposed externally. ↗
- →Detect the stack-pivot prepend encoder byte sequence \x81\xc4\xff\xef\xff\xff\x44 in TCP payloads on ports 3628 and 5168 as a shellcode delivery indicator. ↗
- →For the EarthAgent exploit (port 3628), look for DCERPC call opnum 0 with NDR opcode 0x001f0014 and oversized data buffers (~680+ bytes of filler followed by a return address). ↗
- →For the CreateBinding exploit (port 5168), look for DCERPC call opnum 0 with NDR opcode 0x001f0002 and oversized data buffers (~360+ bytes of filler followed by a return address). ↗
- →Alert on the return address value 0x605e3c2f appearing in network payloads targeting TCP/3628 (agentclient.dll ROP gadget used by EarthAgent exploit). ↗
- →Alert on the return address value 0x65675aa8 appearing in network payloads targeting TCP/5168 (StRpcSrv.dll ROP gadget used by CreateBinding exploit). ↗
- ·The ROP gadget addresses (0x605e3c2f in agentclient.dll and 0x65675aa8 in StRpcSrv.dll) are specific to Trend Micro ServerProtect 5.58 Build 1060 and will not match other builds or patched versions; detection rules relying on these exact values will miss variants using different return addresses. ↗
- ·The exploit uses rand_text_english/rand_text_alpha for filler, meaning the buffer content is randomized per attempt; signature-based detection must focus on structural elements (DCERPC UUID, opcode, prepend encoder bytes) rather than filler content. ↗
- ·The vulnerability is fixed in ServerProtect 5.58 Security Patch 2 Build 1174; detections targeting vulnerable process behavior are only relevant on unpatched Build 1060 systems. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j9x7-2cqg-54fc: Buffer overflow in AgRpcCln
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-2528 [CRITICAL] GHSA-j9x7-2cqg-54fc: Buffer overflow in AgRpcCln
Buffer overflow in AgRpcCln.dll for Trend Micro ServerProtect 5.58 for Windows before Security Patch 3 Build 1176 allows remote attackers to execute arbitrary code via unknown vectors related to RPC requests. NOTE: this is probably a different vulnerability than CVE-2007-2508.
GHSA
GHSA-628g-c62g-r2j2: Multiple stack-based buffer overflows in Trend Micro ServerProtect 5
ghsa_unreviewed·2022-05-01
CVE-2007-2508 [HIGH] CWE-119 GHSA-628g-c62g-r2j2: Multiple stack-based buffer overflows in Trend Micro ServerProtect 5
Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.
No detection rules found.
Exploit-DB
Trend Micro ServerProtect 5.58 - 'EarthAgent.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-2508 Trend Micro ServerProtect 5.58 - 'EarthAgent.exe' Remote Buffer Overflow (Metasploit)
Trend Micro ServerProtect 5.58 - 'EarthAgent.exe' Remote Buffer Overflow (Metasploit)
---
##
# $Id: trendmicro_serverprotect_earthagent.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060
EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'Lice
Exploit-DB
Trend Micro ServerProtect 5.58 - 'CreateBinding()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-2508 Trend Micro ServerProtect 5.58 - 'CreateBinding()' Remote Buffer Overflow (Metasploit)
Trend Micro ServerProtect 5.58 - 'CreateBinding()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: trendmicro_serverprotect_createbinding.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.
By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MS
Exploit-DB
Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Buffer Overflow
exploitdb·2007-05-07
CVE-2007-2508 Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Buffer Overflow
Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Buffer Overflow
---
source: https://www.securityfocus.com/bid/23868/info
Trend Micro ServerProtect is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code with SYSTEM-level privileges and to completely compromise affected computers. Failed exploit attempts will result in a denial of service.
##
# $Id: trendmicro_serverprotect_createbinding.rb 5100 2007-09-10 01:01:20Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
#
Metasploit
Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
metasploit
Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
Metasploit
Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
metasploit
Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060 EarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/35789http://osvdb.org/35790http://secunia.com/advisories/25186http://securitytracker.com/id?1018010http://www.kb.cert.org/vuls/id/488424http://www.kb.cert.org/vuls/id/515616http://www.securityfocus.com/archive/1/467932/100/0/threadedhttp://www.securityfocus.com/archive/1/467933/100/0/threadedhttp://www.securityfocus.com/bid/23866http://www.securityfocus.com/bid/23868http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch2_readme.txthttp://www.vupen.com/english/advisories/2007/1689http://www.zerodayinitiative.com/advisories/ZDI-07-024.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-025.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34162https://exchange.xforce.ibmcloud.com/vulnerabilities/34163http://osvdb.org/35789http://osvdb.org/35790http://secunia.com/advisories/25186http://securitytracker.com/id?1018010http://www.kb.cert.org/vuls/id/488424http://www.kb.cert.org/vuls/id/515616http://www.securityfocus.com/archive/1/467932/100/0/threadedhttp://www.securityfocus.com/archive/1/467933/100/0/threadedhttp://www.securityfocus.com/bid/23866http://www.securityfocus.com/bid/23868http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch2_readme.txthttp://www.vupen.com/english/advisories/2007/1689http://www.zerodayinitiative.com/advisories/ZDI-07-024.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-025.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34162https://exchange.xforce.ibmcloud.com/vulnerabilities/34163
2007-05-08
Published