cbcvebase.
CVE-2007-2864
published 2007-06-06

CVE-2007-2864: Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
49.65%
98.7th percentile
Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers to execute arbitrary code via a large invalid value of the coffFiles field in a .CAB file.

Affected

32 ranges· showing 25
VendorProductVersion rangeFixed in
broadcomanti-virus_for_the_enterprise
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcomcommon_services
broadcomcommon_services
broadcomcommon_services
broadcomcommon_services
broadcomcommon_services
broadcomcommon_services
broadcometrust_antivirus
broadcometrust_antivirus
broadcometrust_antivirus_gateway
broadcometrust_ez_antivirus
broadcometrust_ez_antivirus
broadcometrust_ez_armor
broadcometrust_ez_armor
broadcometrust_ez_armor
broadcometrust_ez_armor
broadcomintegrated_threat_management
broadcominternet_security_suite
broadcominternet_security_suite
broadcominternet_security_suite

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.cab
other0x6dc886ea (INOCORE.dll - pop edi; pop esi; ret)
commandPrependEncoder: \x81\xc4\x54\xf2\xff\xff (stack adjustment add esp, -3500)
bytes
4D534346 00000000 C40D0000 00000000
  • Detect malicious CAB files exploiting CVE-2007-2864 by inspecting the coffFiles field for abnormally large/invalid values in the CAB header structure.
  • The exploit payload overwrites SEH at offset 268 and return address at offset 272 within a 1024-byte pattern; buffer inspection at these offsets in CAB parsing can identify exploitation attempts.
  • The exploit targets inocore.dll ROP gadget at 0x6dc886ea (pop edi; pop esi; ret); presence of this return address on the stack during CAB file scanning by CA eTrust AV 8.1.637 indicates exploitation.
  • ·The Metasploit module explicitly targets only CA eTrust Antivirus 8.1.637 on Windows 2000 All / Windows XP SP0/SP1; the ROP gadget address (0x6dc886ea in inocore.dll) is version-specific and will not apply to other builds.
  • ·The vulnerability affects multiple CA products; the fix is content update 30.6 or later. Detection rules should account for all CA AV engine deployments prior to that update, not just eTrust 8.1.637.
  • ·The payload space is constrained to 250 bytes with null bytes as bad characters; detection signatures based solely on shellcode size/content may miss custom payloads that fit within these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.