cbcvebase.
CVE-2007-3872
published 2007-08-09

CVE-2007-3872: Multiple stack-based buffer overflows in the Shared Trace Service (OVTrace) service for HP OpenView Operations A.07.50 for Windows, and possibly earlier…

PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
30.28%
98.0th percentile
Multiple stack-based buffer overflows in the Shared Trace Service (OVTrace) service for HP OpenView Operations A.07.50 for Windows, and possibly earlier versions, allow remote attackers to execute arbitrary code via certain crafted requests.

Affected

3 ranges
VendorProductVersion rangeFixed in
hpopenview_operations<= a.07.50
hpoperations_manager
hpshared_trace_service<= a.07.50

Detection & IOCsextracted from sources · hover to see the quote

port5051
other0x75022ac4
bytes
\x0f\x00\x00\x06\x00
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect exploit attempts targeting OVTrace service by monitoring for TCP connections to port 5051 containing the magic packet header bytes \x0f\x00\x00\x06\x00 followed by oversized payload (total >2000 bytes).
  • Flag network traffic to port 5051 containing the stack-adjustment prepend encoder stub \x81\xc4\xff\xef\xff\xff\x44, which is prepended to shellcode in this exploit.
  • The exploit targets HP OpenView Operations version A.07.50 OVTrace service; alert on process crashes or unexpected code execution originating from the OVTrace listener on port 5051.
  • The exploit uses EXITFUNC=process and requires privileged execution; monitor for SYSTEM-level processes spawned as children of the OVTrace service after inbound connections on port 5051.
  • ·The Metasploit module only includes a single target (Windows 2000 Advanced Server All English) with a hardcoded return address; the exploit may not work against other OS versions without a different Ret value.
  • ·Payload space is constrained to 800 bytes and bad characters \x0a\x0d\x00 must be avoided; shellcode exceeding these constraints or containing bad chars will fail.
  • ·CVE-2009-3099 is explicitly noted as a different vulnerability from CVE-2007-3872, both affecting HP OpenView Operations Manager; do not conflate the two when scoping detection or patching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.