CVE-2007-5003
published 2007-10-01CVE-2007-5003: Multiple stack-based buffer overflows in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allow remote…
PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.20%
99.2th percentile
Multiple stack-based buffer overflows in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allow remote attackers to execute arbitrary code via a long (1) username or (2) password to the rxrLogin command in rxRPC.dll, or a long (3) username argument to the GetUserInfo function.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | brightstor_arcserve_backup_laptops_desktops | — | — |
| broadcom | desktop_management_suite | — | — |
| broadcom | desktop_management_suite | — | — |
| broadcom | desktop_management_suite | — | — |
| ca | protection_suites | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
- →Detect exploit attempts by monitoring for oversized username or password fields (>17420 bytes) in rxrLogin RPC commands sent to TCP port 1900 targeting the LGServer service. ↗
- →Alert on network traffic to TCP/1900 containing the literal string 'rxrLogin' followed by '~~' as an argument delimiter, which is the exploit's RPC command structure. ↗
- →Detect version-check probes against LGServer by monitoring for the literal string '0000000019rxrGetServerVersion' on TCP/1900; this is used by the Metasploit module's check() function to fingerprint vulnerable hosts. ↗
- →Flag LGServer responses containing version string '11.1.742' as confirmed vulnerable to CVE-2007-5003. ↗
- →Detect the stack-adjustment prepend encoder byte sequence \x81\xc4\xff\xef\xff\xff\x44 in payloads on TCP/1900 as an indicator of active exploitation. ↗
- →The exploit targets rxRPC.dll via the rxrLogin command; monitor for abnormal process spawning or crashes in the LGServer process (lgserver.exe) on Windows hosts running BrightStor ARCserve for Laptops and Desktops r11.0–r11.5. ↗
- ·The Metasploit module's payload space is limited to 550 bytes with null bytes as bad characters; shellcode must avoid \x00. ↗
- ·The module targets only two specific OS/patch-level combinations (Windows 2003 SP0 English and Windows 2000 SP4 English) with hardcoded return addresses; exploitation against other configurations requires different ROP/JMP gadgets. ↗
- ·The exploit uses a one-shot overwrite with a fixed command length field '0000018124'; the buffer overflow offset is 17420 bytes before the return address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (3)
exploitdb·2010-11-03
CVE-2007-5003 CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (3)
CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (3)
---
##
# $Id: lgserver_rxrlogin.rb 10892 2010-11-03 22:09:44Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could
overflow the buffer and execute arbitrary code.
},
'Author
Exploit-DB
BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
exploitdb·2007-01-14
CVE-2007-0338 BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
BolinTech DreamFTP Server - 'USER' Remote Buffer Overflow (PoC)
---
/**************************************************************************
*BolinTech DreamFTP USER buffer overflow *
* *
*The server does not correctly handle format string so sending a command *
*like USER %1*3000 let us own EDX. Other values can also affect EAX & ECX *
* *
*This is only a POC but code execution is possible *
* *
*usage: dreamftp.exe ip port *
* *
*Coded by Marsu *
**************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
struct hostent *he;
struct sockaddr_in sock_addr;
WSADATA wsa;
int ftpsock;
char recvbuff[1024];
char evilbuff[5003];
int buflen=5000
Metasploit
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
metasploit
CVE-2007-5003 CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599http://research.eeye.com/html/advisories/published/AD20070920.htmlhttp://secunia.com/advisories/25606http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35674http://www.securityfocus.com/archive/1/480252/100/100/threadedhttp://www.securityfocus.com/bid/24348http://www.securitytracker.com/id?1018728http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599http://research.eeye.com/html/advisories/published/AD20070920.htmlhttp://secunia.com/advisories/25606http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asphttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35674http://www.securityfocus.com/archive/1/480252/100/100/threadedhttp://www.securityfocus.com/bid/24348http://www.securitytracker.com/id?1018728
2007-10-01
Published