CVE-2007-2864
published 2007-06-06CVE-2007-2864: Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
49.65%
98.7th percentile
Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers to execute arbitrary code via a large invalid value of the coffFiles field in a .CAB file.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | anti-virus_for_the_enterprise | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | common_services | — | — |
| broadcom | common_services | — | — |
| broadcom | common_services | — | — |
| broadcom | common_services | — | — |
| broadcom | common_services | — | — |
| broadcom | common_services | — | — |
| broadcom | etrust_antivirus | — | — |
| broadcom | etrust_antivirus | — | — |
| broadcom | etrust_antivirus_gateway | — | — |
| broadcom | etrust_ez_antivirus | — | — |
| broadcom | etrust_ez_antivirus | — | — |
| broadcom | etrust_ez_armor | — | — |
| broadcom | etrust_ez_armor | — | — |
| broadcom | etrust_ez_armor | — | — |
| broadcom | etrust_ez_armor | — | — |
| broadcom | integrated_threat_management | — | — |
| broadcom | internet_security_suite | — | — |
| broadcom | internet_security_suite | — | — |
| broadcom | internet_security_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
4D534346 00000000 C40D0000 00000000
- →Detect malicious CAB files exploiting CVE-2007-2864 by inspecting the coffFiles field for abnormally large/invalid values in the CAB header structure. ↗
- →The exploit payload overwrites SEH at offset 268 and return address at offset 272 within a 1024-byte pattern; buffer inspection at these offsets in CAB parsing can identify exploitation attempts. ↗
- →The exploit targets inocore.dll ROP gadget at 0x6dc886ea (pop edi; pop esi; ret); presence of this return address on the stack during CAB file scanning by CA eTrust AV 8.1.637 indicates exploitation. ↗
- ·The Metasploit module explicitly targets only CA eTrust Antivirus 8.1.637 on Windows 2000 All / Windows XP SP0/SP1; the ROP gadget address (0x6dc886ea in inocore.dll) is version-specific and will not apply to other builds. ↗
- ·The vulnerability affects multiple CA products; the fix is content update 30.6 or later. Detection rules should account for all CA AV engine deployments prior to that update, not just eTrust 8.1.637. ↗
- ·The payload space is constrained to 250 bytes with null bytes as bad characters; detection signatures based solely on shellcode size/content may miss custom payloads that fit within these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA AntiVirus Engine - CAB Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2007-2864 CA AntiVirus Engine - CAB Buffer Overflow (Metasploit)
CA AntiVirus Engine - CAB Buffer Overflow (Metasploit)
---
##
# $Id: ca_cab.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA Antivirus Engine CAB Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.
By creating a specially crafted CAB file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2007-2864' ],
[ 'OSVDB', '35245'],
Metasploit
CA Antivirus Engine CAB Buffer Overflow
metasploit
CA Antivirus Engine CAB Buffer Overflow
CA Antivirus Engine CAB Buffer Overflow
This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/25570http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asphttp://www.kb.cert.org/vuls/id/105105http://www.osvdb.org/35245http://www.securityfocus.com/archive/1/470602/100/0/threadedhttp://www.securityfocus.com/archive/1/470754/100/0/threadedhttp://www.securityfocus.com/bid/24330http://www.securitytracker.com/id?1018199http://www.vupen.com/english/advisories/2007/2072http://www.zerodayinitiative.com/advisories/ZDI-07-035.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34737http://secunia.com/advisories/25570http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asphttp://www.kb.cert.org/vuls/id/105105http://www.osvdb.org/35245http://www.securityfocus.com/archive/1/470602/100/0/threadedhttp://www.securityfocus.com/archive/1/470754/100/0/threadedhttp://www.securityfocus.com/bid/24330http://www.securitytracker.com/id?1018199http://www.vupen.com/english/advisories/2007/2072http://www.zerodayinitiative.com/advisories/ZDI-07-035.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34737
2007-06-06
Published