cbcvebase.
CVE-2007-4620
published 2008-04-07

CVE-2007-4620: Multiple stack-based buffer overflows in Computer Associates (CA) Alert Notification Service (Alert.exe) 8.1.586.0, 8.0.450.0, and 7.1.758.0, as used in…

PriorityP264critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.27%
98.8th percentile
Multiple stack-based buffer overflows in Computer Associates (CA) Alert Notification Service (Alert.exe) 8.1.586.0, 8.0.450.0, and 7.1.758.0, as used in multiple CA products including Anti-Virus for the Enterprise 7.1 through r11.1 and Threat Manager for the Enterprise 8.1 and r8, allow remote authenticated users to execute arbitrary code via crafted RPC requests.

Affected

8 ranges
VendorProductVersion rangeFixed in
broadcomanti-virus_for_the_enterprise
broadcomanti-virus_for_the_enterprise
broadcomanti-virus_for_the_enterprise
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
cabrightstor_arcserve_backup
cathreat_manager_for_the_enterprise
cathreat_manager_for_the_enterprise

Detection & IOCsextracted from sources · hover to see the quote

other3d742890-397c-11cf-9bf1-00805f88cb72 v1.0
path\alert
other0x77e03efb
other0x7c30d043
other0x7c2e7993
processAlert.exe
  • Detect exploitation attempts by monitoring SMB named pipe connections to the '\alert' pipe combined with DCE/RPC calls to interface UUID 3d742890-397c-11cf-9bf1-00805f88cb72 v1.0 (opcode 0x00). Oversized string arguments in the RPC request are indicative of the overflow attempt.
  • Exploitation requires valid SMB credentials; monitor for authenticated SMB sessions followed immediately by DCE/RPC bind to UUID 3d742890-397c-11cf-9bf1-00805f88cb72 on the \alert named pipe.
  • The exploit uses EXITFUNC=thread and a stack adjustment of -3500 bytes; NOP sleds of 12 bytes precede shellcode. Presence of large NOP regions followed by shellcode in RPC traffic to this interface is a strong indicator.
  • ·Exploitation requires valid authenticated credentials to the target system over SMB; unauthenticated remote exploitation is not possible.
  • ·Affected versions are Alert.exe 8.1.586.0, 8.0.450.0, and 7.1.758.0. Return addresses and offsets differ per target OS/version; the Metasploit module provides three specific target configurations.
  • ·Payload space is limited to 550 bytes; certain characters (\x00\x0a\x0d\x5c\x5f\x2f\x2e) are bad chars and cannot appear in shellcode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.