CVE-2007-3216
published 2007-06-14CVE-2007-3216: Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.19%
99.0th percentile
Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote attackers to execute arbitrary code via crafted arguments to the (1) rxsAddNewUser, (2) rxsSetUserInfo, (3) rxsRenameUser, (4) rxsSetMessageLogSettings, (5) rxsExportData, (6) rxsSetServerOptions, (7) rxsRenameFile, (8) rxsACIManageSend, (9) rxsExportUser, (10) rxsImportUser, (11) rxsMoveUserData, (12) rxsUseLicenseIni, (13) rxsLicGetSiteId, (14) rxsGetLogFileNames, (15) rxsGetBackupLog, (16) rxsBackupComplete, (17) rxsSetDataProtectionSecurityData, (18) rxsSetDefaultConfigName, (19) rxsGetMessageLogSettings, (20) rxsHWDiskGetTotal, (21) rxsHWDiskGetFree, (22) rxsGetSubDirs, (23) rxsGetServerDBPathName, (24) rxsSetServerOptions, (25) rxsDeleteFile, (26) rxsACIManageSend, (27) rxcReadBackupSetList, (28) rxcWriteConfigInfo, (29) rxcSetAssetManagement, (30) rxcWriteFileListForRestore, (31) rxcReadSaveSetProfile, (32) rxcInitSaveSetProfile, (33) rxcAddSaveSetNextAppList, (34) rxcAddSaveSetNextFilesPathList, (35) rxcAddNextBackupSetIncWildCard, (36) rxcGetRevisions, (37) rxrAddMovedUser, (38) rxrSetClientVersion, or (39) rxsSetDataGrowthScheduleAndFilter commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
~~
- →Detect version-check probe: LGServer receives the raw TCP string '0000000019rxrGetServerVersion' on port 1900 as a pre-exploitation reconnaissance step. ↗
- →Exploit traffic uses '~~' as a constant argument delimiter between the RPC command name and the oversized payload buffer; presence of this pattern in LGServer (port 1900) traffic alongside known RPC command names is a strong indicator of exploitation. ↗
- →Monitor TCP port 1900 for oversized requests (>4000 bytes) prefixed with any of the vulnerable RPC command names (e.g. rxsSetDataGrowthScheduleAndFilter, rxsUseLicenseIni, rxsAddNewUser, rxsSetUserInfo, rxsRenameUser, rxcReadSaveSetProfile, etc.) targeting the LGServer component. ↗
- →The rxsSetDataGrowthScheduleAndFilter exploit sends a payload of ~25000 bytes with the command length field set to '0000025000'; anomalously large command length fields on port 1900 should be alerted on. ↗
- →The rxsUseLicenseIni exploit sends a command length field of '0000004820' followed by the RPC command; monitor for this specific length prefix on port 1900. ↗
- →The multi-command exploit uses an SEH overwrite at offset 58468 within a 62768-byte buffer; the command length field is set to '0000062768'. Requests of this exact size on port 1900 are highly suspicious. ↗
- ·The Metasploit modules target specific Windows OS versions with hardcoded return addresses; the Windows 2000 SP4 English target uses ret=0x75031dce and Windows 2003 SP0 English uses ret=0x71ae1f9b. Detection based on payload bytes may vary by target platform. ↗
- ·The null byte (\x00) is a bad character excluded from payloads; detection signatures should account for the absence of null bytes in the oversized buffer region. ↗
- ·Vulnerability is confirmed only against BrightStor ARCserve Backup for Laptops & Desktops version 11.1 (build 11.1.742); other versions may not be affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005162; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005163; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005160; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005159; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mi
Suricata
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0569 [HIGH] ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE
ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; classtype:web-application-attack; sid:2005161; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique
Exploit-DB
CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)
exploitdb·2011-03-10
CVE-2007-3216 CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)
CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)
---
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),
an attacker could overf
Exploit-DB
CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)
exploitdb·2010-11-04
CVE-2007-3216 CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)
---
##
# $Id: lgserver_multi.rb 10909 2010-11-04 23:59:56Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,
an attacker could overflow th
Exploit-DB
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (2)
exploitdb·2010-11-03
CVE-2007-3216 CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (2)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: lgserver_rxsuselicenseini.rb 10892 2010-11-03 22:09:44Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an
attacker could overflow the buffer and execute
Metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code.
Metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow
metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow
CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), an attacker could overflow the buffer and execute arbitrary code.
Metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow
metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow
CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599http://osvdb.org/35329http://research.eeye.com/html/advisories/published/AD20070920.htmlhttp://research.eeye.com/html/advisories/upcoming/20070604.htmlhttp://secunia.com/advisories/25606http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/bsabld-securitynotice.asphttp://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35673http://www.securityfocus.com/archive/1/480252/100/100/threadedhttp://www.securityfocus.com/bid/24348http://www.securitytracker.com/id?1018216http://www.securitytracker.com/id?1018728http://www.vupen.com/english/advisories/2007/2121https://exchange.xforce.ibmcloud.com/vulnerabilities/34805http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599http://osvdb.org/35329http://research.eeye.com/html/advisories/published/AD20070920.htmlhttp://research.eeye.com/html/advisories/upcoming/20070604.htmlhttp://secunia.com/advisories/25606http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/bsabld-securitynotice.asphttp://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35673http://www.securityfocus.com/archive/1/480252/100/100/threadedhttp://www.securityfocus.com/bid/24348http://www.securitytracker.com/id?1018216http://www.securitytracker.com/id?1018728http://www.vupen.com/english/advisories/2007/2121https://exchange.xforce.ibmcloud.com/vulnerabilities/34805
2007-06-14
Published