CVE-2007-3338
published 2007-06-22CVE-2007-3338: Multiple stack-based buffer overflows in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (Computer Associates) products, allow…
PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
6.67%
93.1th percentile
Multiple stack-based buffer overflows in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (Computer Associates) products, allow remote attackers to execute arbitrary code via the (1) uuid_from_char or (2) duve_get_args functions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ingres | database_server | — | — |
| ingres | database_server | — | — |
| ingres | database_server | — | — |
| ingres | database_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x41 * 2106 + \x42 * 4 (iigcc overflow trigger)
bytes↗
\x41 * 1066 + \x42 * 4 (iijdbc overflow trigger)
- →Exploitation targets the uuid_from_char or duve_get_args functions in the Ingres database server; alert on stack-based buffer overflow attempts against these named functions. ↗
- →Successful exploitation grants SYSTEM-level privileges on Windows; correlate Ingres service process spawning unexpected child processes or privilege escalation events. ↗
- →Exploit sends a raw TCP payload of repeating 0x41 bytes (2106 for iigcc, 1066 for iijdbc) followed by 4 bytes of 0x42; network signatures should match oversized single-byte-repeated payloads to these services. ↗
- ·The PoC was tested specifically on Windows 2003 Server SP1 (English); exploit offsets (2106 for iigcc, 1066 for iijdbc) may differ on other OS versions or service pack levels. ↗
- ·The PoC author was unable to confirm code execution beyond denial-of-service/crash; actual RCE exploitation may require additional offset tuning. ↗
- ·Affected versions are Ingres 2006 9.0.4, r3, 2.6, and 2.5; the vulnerability is fixed in the last version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
exploitdb·2010-08-14·CVSS 10.0
CVE-2007-3336 [CRITICAL] CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)
---
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338
# Notes: Fixed in the last version.
# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing
# MOV EAX,DWORD PTR DS:[EDX+8]
# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing
# CMP ECX,DWORD PTR DS:[EDI+4]
# please let me know if you are/were able to get code execution
import socket
import sys
if len(sys.argv) != 4:
print "Usage: ./CAAdvantageDoS.py "
print "Vulnerable Serv
Exploit-DB
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
exploitdb·2007-06-21·CVSS 10.0
CVE-2007-3334 [CRITICAL] Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
Ingress Database Server 2.6 - Multiple Remote Vulnerabilities
---
source: https://www.securityfocus.com/bid/24585/info
Ingress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.
Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.
# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities
# Date: 2010-08-14
# Author: fdisk
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337
No writeups or analysis indexed.
http://osvdb.org/37483http://secunia.com/advisories/25756http://secunia.com/advisories/25775http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-ingres-stack-overflow/http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-ingres-stack-overflow/http://www.securityfocus.com/archive/1/472194/100/0/threadedhttp://www.securityfocus.com/archive/1/472197/100/0/threadedhttp://www.securityfocus.com/bid/24585http://www.vupen.com/english/advisories/2007/2288http://www.vupen.com/english/advisories/2007/2290https://exchange.xforce.ibmcloud.com/vulnerabilities/34995https://exchange.xforce.ibmcloud.com/vulnerabilities/34998http://osvdb.org/37483http://secunia.com/advisories/25756http://secunia.com/advisories/25775http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-ingres-stack-overflow/http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-ingres-stack-overflow/http://www.securityfocus.com/archive/1/472194/100/0/threadedhttp://www.securityfocus.com/archive/1/472197/100/0/threadedhttp://www.securityfocus.com/bid/24585http://www.vupen.com/english/advisories/2007/2288http://www.vupen.com/english/advisories/2007/2290https://exchange.xforce.ibmcloud.com/vulnerabilities/34995https://exchange.xforce.ibmcloud.com/vulnerabilities/34998
2007-06-22
Published