cbcvebase.
CVE-2007-5003
published 2007-10-01

CVE-2007-5003: Multiple stack-based buffer overflows in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allow remote…

PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.20%
99.2th percentile
Multiple stack-based buffer overflows in CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.5 allow remote attackers to execute arbitrary code via a long (1) username or (2) password to the rxrLogin command in rxRPC.dll, or a long (3) username argument to the GetUserInfo function.

Affected

8 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup_laptops_desktops
broadcombrightstor_arcserve_backup_laptops_desktops
broadcombrightstor_arcserve_backup_laptops_desktops
broadcombrightstor_arcserve_backup_laptops_desktops
broadcomdesktop_management_suite
broadcomdesktop_management_suite
broadcomdesktop_management_suite
caprotection_suites

Detection & IOCsextracted from sources · hover to see the quote

port1900
commandrxrLogin
commandrxrGetServerVersion
other0x71ae1f9b (JMP ESP wshtcpip.dll, Windows 2003 SP0 English)
other0x7c30d043 (JMP ESP advapi32.dll, Windows 2000 SP4 English)
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect exploit attempts by monitoring for oversized username or password fields (>17420 bytes) in rxrLogin RPC commands sent to TCP port 1900 targeting the LGServer service.
  • Alert on network traffic to TCP/1900 containing the literal string 'rxrLogin' followed by '~~' as an argument delimiter, which is the exploit's RPC command structure.
  • Detect version-check probes against LGServer by monitoring for the literal string '0000000019rxrGetServerVersion' on TCP/1900; this is used by the Metasploit module's check() function to fingerprint vulnerable hosts.
  • Flag LGServer responses containing version string '11.1.742' as confirmed vulnerable to CVE-2007-5003.
  • Detect the stack-adjustment prepend encoder byte sequence \x81\xc4\xff\xef\xff\xff\x44 in payloads on TCP/1900 as an indicator of active exploitation.
  • The exploit targets rxRPC.dll via the rxrLogin command; monitor for abnormal process spawning or crashes in the LGServer process (lgserver.exe) on Windows hosts running BrightStor ARCserve for Laptops and Desktops r11.0–r11.5.
  • ·The Metasploit module's payload space is limited to 550 bytes with null bytes as bad characters; shellcode must avoid \x00.
  • ·The module targets only two specific OS/patch-level combinations (Windows 2003 SP0 English and Windows 2000 SP4 English) with hardcoded return addresses; exploitation against other configurations requires different ROP/JMP gadgets.
  • ·The exploit uses a one-shot overwrite with a fixed command length field '0000018124'; the buffer overflow offset is 17420 bytes before the return address.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.