CVE-2007-3336
published 2007-06-22CVE-2007-3336: Multiple "pointer overwrite" vulnerabilities in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (formerly Computer Associates)…
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.96%
94.6th percentile
Multiple "pointer overwrite" vulnerabilities in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (formerly Computer Associates) products, allow remote attackers to execute arbitrary code by sending certain TCP data at different times to the Ingres Communications Server Process (iigcc), which calls the (1) QUinsert or (2) QUremove functions with attacker-controlled input.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ingres | database_server | — | — |
| ingres | database_server | — | — |
| ingres | database_server | — | — |
| ingres | database_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the QUinsert or QUremove functions called by iigcc; alert on unexpected process crashes or restarts of iigcc/iijdbc services on Windows hosts ↗
- →Exploitation can result in SYSTEM-level code execution; monitor for privilege escalation events following unexpected iigcc/iijdbc crashes on Windows 2003 Server ↗
- ·The PoC was tested specifically on Windows 2003 Server SP1 (English); payload offsets (2106 for iigcc, 1066 for iijdbc) may differ on other OS versions or service pack levels ↗
- ·Affected versions span Ingres 2006 9.0.4, r3, 2.6, and 2.5; the PoC author notes the issue is fixed in the last version, so detection should focus on unpatched legacy deployments ↗
- ·The port targeted is user-supplied at runtime (not hardcoded); defenders should identify the listening port of iigcc and iijdbc in their specific deployment and apply network-layer controls accordingly ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
exploitdb·2010-08-14·CVSS 10.0
CVE-2007-3336 [CRITICAL] CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
---
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./CAAdvantageDoS.py "
print "Vulnerable Serv
Exploit-DB
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
exploitdb·2007-06-21·CVSS 10.0
CVE-2007-3334 [CRITICAL] Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
---
source: https://www.securityfocus.com/bid/24585/info
Ingress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.
Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.
# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities
# Date: 2010-08-14
# Author: fdisk
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2007-06/0302.htmlhttp://osvdb.org/37486http://secunia.com/advisories/25756http://secunia.com/advisories/25775http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-ingres-pointer-overwrite-1/http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-ingres-pointer-overwrite-2/http://www.securityfocus.com/archive/1/472193/100/0/threadedhttp://www.securityfocus.com/bid/24585http://www.vupen.com/english/advisories/2007/2288http://www.vupen.com/english/advisories/2007/2290https://exchange.xforce.ibmcloud.com/vulnerabilities/34993https://exchange.xforce.ibmcloud.com/vulnerabilities/35000http://archives.neohapsis.com/archives/bugtraq/2007-06/0302.htmlhttp://osvdb.org/37486http://secunia.com/advisories/25756http://secunia.com/advisories/25775http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-ingres-pointer-overwrite-1/http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-ingres-pointer-overwrite-2/http://www.securityfocus.com/archive/1/472193/100/0/threadedhttp://www.securityfocus.com/bid/24585http://www.vupen.com/english/advisories/2007/2288http://www.vupen.com/english/advisories/2007/2290https://exchange.xforce.ibmcloud.com/vulnerabilities/34993https://exchange.xforce.ibmcloud.com/vulnerabilities/35000
2007-06-22
Published