CVE-2007-4620
published 2008-04-07CVE-2007-4620: Multiple stack-based buffer overflows in Computer Associates (CA) Alert Notification Service (Alert.exe) 8.1.586.0, 8.0.450.0, and 7.1.758.0, as used in…
PriorityP264critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.27%
98.8th percentile
Multiple stack-based buffer overflows in Computer Associates (CA) Alert Notification Service (Alert.exe) 8.1.586.0, 8.0.450.0, and 7.1.758.0, as used in multiple CA products including Anti-Virus for the Enterprise 7.1 through r11.1 and Threat Manager for the Enterprise 8.1 and r8, allow remote authenticated users to execute arbitrary code via crafted RPC requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | anti-virus_for_the_enterprise | — | — |
| broadcom | anti-virus_for_the_enterprise | — | — |
| broadcom | anti-virus_for_the_enterprise | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | threat_manager_for_the_enterprise | — | — |
| ca | threat_manager_for_the_enterprise | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring SMB named pipe connections to the '\alert' pipe combined with DCE/RPC calls to interface UUID 3d742890-397c-11cf-9bf1-00805f88cb72 v1.0 (opcode 0x00). Oversized string arguments in the RPC request are indicative of the overflow attempt. ↗
- →Exploitation requires valid SMB credentials; monitor for authenticated SMB sessions followed immediately by DCE/RPC bind to UUID 3d742890-397c-11cf-9bf1-00805f88cb72 on the \alert named pipe. ↗
- →The exploit uses EXITFUNC=thread and a stack adjustment of -3500 bytes; NOP sleds of 12 bytes precede shellcode. Presence of large NOP regions followed by shellcode in RPC traffic to this interface is a strong indicator. ↗
- ·Exploitation requires valid authenticated credentials to the target system over SMB; unauthenticated remote exploitation is not possible. ↗
- ·Affected versions are Alert.exe 8.1.586.0, 8.0.450.0, and 7.1.758.0. Return addresses and offsets differ per target OS/version; the Metasploit module provides three specific target configurations. ↗
- ·Payload space is limited to 550 bytes; certain characters (\x00\x0a\x0d\x5c\x5f\x2f\x2e) are bad chars and cannot appear in shellcode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Computer Associates - Alert Notification Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-4620 Computer Associates - Alert Notification Buffer Overflow (Metasploit)
Computer Associates - Alert Notification Buffer Overflow (Metasploit)
---
##
# $Id: etrust_itm_alert.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Computer Associates Alert Notification Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1
By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
In order to successfully exploit this vulnerability, you will need vali
Metasploit
Computer Associates Alert Notification Buffer Overflow
metasploit
Computer Associates Alert Notification Buffer Overflow
Computer Associates Alert Notification Buffer Overflow
This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1 By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
No writeups or analysis indexed.
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/ca-alert-notification-server-multiple-vulnerabilities.aspxhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=679http://secunia.com/advisories/29665http://securityreason.com/securityalert/3799http://www.securityfocus.com/archive/1/490466/100/0/threadedhttp://www.securityfocus.com/bid/28605http://www.securitytracker.com/id?1019789http://www.securitytracker.com/id?1019790http://www.vupen.com/english/advisories/2008/1103/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41639https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/ca-alert-notification-server-multiple-vulnerabilities.aspxhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=679http://secunia.com/advisories/29665http://securityreason.com/securityalert/3799http://www.securityfocus.com/archive/1/490466/100/0/threadedhttp://www.securityfocus.com/bid/28605http://www.securitytracker.com/id?1019789http://www.securitytracker.com/id?1019790http://www.vupen.com/english/advisories/2008/1103/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41639https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
2008-04-07
Published