cbcvebase.
CVE-2007-3216
published 2007-06-14

CVE-2007-3216: Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.19%
99.0th percentile
Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote attackers to execute arbitrary code via crafted arguments to the (1) rxsAddNewUser, (2) rxsSetUserInfo, (3) rxsRenameUser, (4) rxsSetMessageLogSettings, (5) rxsExportData, (6) rxsSetServerOptions, (7) rxsRenameFile, (8) rxsACIManageSend, (9) rxsExportUser, (10) rxsImportUser, (11) rxsMoveUserData, (12) rxsUseLicenseIni, (13) rxsLicGetSiteId, (14) rxsGetLogFileNames, (15) rxsGetBackupLog, (16) rxsBackupComplete, (17) rxsSetDataProtectionSecurityData, (18) rxsSetDefaultConfigName, (19) rxsGetMessageLogSettings, (20) rxsHWDiskGetTotal, (21) rxsHWDiskGetFree, (22) rxsGetSubDirs, (23) rxsGetServerDBPathName, (24) rxsSetServerOptions, (25) rxsDeleteFile, (26) rxsACIManageSend, (27) rxcReadBackupSetList, (28) rxcWriteConfigInfo, (29) rxcSetAssetManagement, (30) rxcWriteFileListForRestore, (31) rxcReadSaveSetProfile, (32) rxcInitSaveSetProfile, (33) rxcAddSaveSetNextAppList, (34) rxcAddSaveSetNextFilesPathList, (35) rxcAddNextBackupSetIncWildCard, (36) rxcGetRevisions, (37) rxrAddMovedUser, (38) rxrSetClientVersion, or (39) rxsSetDataGrowthScheduleAndFilter commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup_laptops_desktops

Detection & IOCsextracted from sources · hover to see the quote

port1900
commandrxsSetDataGrowthScheduleAndFilter
commandrxsUseLicenseIni
command0000000019rxrGetServerVersion
version11.1.742
bytes
~~
  • Detect version-check probe: LGServer receives the raw TCP string '0000000019rxrGetServerVersion' on port 1900 as a pre-exploitation reconnaissance step.
  • Exploit traffic uses '~~' as a constant argument delimiter between the RPC command name and the oversized payload buffer; presence of this pattern in LGServer (port 1900) traffic alongside known RPC command names is a strong indicator of exploitation.
  • Monitor TCP port 1900 for oversized requests (>4000 bytes) prefixed with any of the vulnerable RPC command names (e.g. rxsSetDataGrowthScheduleAndFilter, rxsUseLicenseIni, rxsAddNewUser, rxsSetUserInfo, rxsRenameUser, rxcReadSaveSetProfile, etc.) targeting the LGServer component.
  • The rxsSetDataGrowthScheduleAndFilter exploit sends a payload of ~25000 bytes with the command length field set to '0000025000'; anomalously large command length fields on port 1900 should be alerted on.
  • The rxsUseLicenseIni exploit sends a command length field of '0000004820' followed by the RPC command; monitor for this specific length prefix on port 1900.
  • The multi-command exploit uses an SEH overwrite at offset 58468 within a 62768-byte buffer; the command length field is set to '0000062768'. Requests of this exact size on port 1900 are highly suspicious.
  • ·The Metasploit modules target specific Windows OS versions with hardcoded return addresses; the Windows 2000 SP4 English target uses ret=0x75031dce and Windows 2003 SP0 English uses ret=0x71ae1f9b. Detection based on payload bytes may vary by target platform.
  • ·The null byte (\x00) is a bad character excluded from payloads; detection signatures should account for the absence of null bytes in the oversized buffer region.
  • ·Vulnerability is confirmed only against BrightStor ARCserve Backup for Laptops & Desktops version 11.1 (build 11.1.742); other versions may not be affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.