CVE-2007-5082
published 2007-10-01CVE-2007-5082: Multiple stack-based buffer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.46%
99.1th percentile
Multiple stack-based buffer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary code via unspecified CsAgent service commands with certain opcodes, related to missing validation of a length parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_hierarchical_storage_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command[42,7,0,0].pack('VVVV') + payload.encoded + "\xeb\x06" + Rex::Text.rand_text_alphanumeric(2) + [ target.ret ].pack('V') + "\xe9\xf1\xfb\xff\xff"↗
bytes↗
\x14\x00\x00\x00\x42\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes↗
\x40\x05\x00\x00\x1D\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
- →Detect exploit attempts against CA BrightStor HSM CsAgent service by monitoring TCP port 2000 for connections containing the INIT_BEGIN handshake magic bytes (\x14\x00\x00\x00) followed by opcode \x42\x00\x00\x00 (FX_SET_CONSOLE_CREDENTIALS) and large oversized payloads (~1232+ bytes of repeated 0x41). ↗
- →The exploit damage packet begins with \x40\x05\x00\x00\x1D\x00\x00\x00 on TCP/2000; a Snort/Suricata content match on this byte sequence in the payload can identify the overflow attempt. ↗
- →The Metasploit module targets fpparser.dll return address 0x12014c78 (pop/pop/ret gadget); memory forensics or crash analysis showing EIP=0x12014c78 on the CsAgent process indicates exploitation of this CVE. ↗
- →The Metasploit exploit payload structure includes the short JMP opcode \xeb\x06 followed by a 4-byte return address and a long backward JMP \xe9\xf1\xfb\xff\xff; these bytes in sequence on TCP/2000 traffic are a strong indicator of exploitation. ↗
- →The vulnerability is in the CsAgent service; missing length parameter validation means any TCP/2000 request with a length field significantly larger than expected (e.g., 0x0540 = 1344 bytes as seen in the damage packet header) should be flagged. ↗
- ·The Metasploit module notes that NX bypass requires bruteforcing ntdll addresses because the process restarts; the hardcoded return address 0x12014c78 is specific to fpparser.dll from 2004 and may not apply to all patch levels of HSM 11.5. ↗
- ·The payload bad characters are \x00, \x0a, \x0d, and semicolon (;); shellcode used against this service must avoid these bytes or encoding will be required. ↗
- ·The exploit targets CA BrightStor HSM versions before r11.6 only; systems patched to r11.6 or later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor - HSM Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5082 CA BrightStor - HSM Buffer Overflow (Metasploit)
CA BrightStor - HSM Buffer Overflow (Metasploit)
---
##
# $Id: hsmserver.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor HSM Buffer Overflow',
'Description' => %q{
This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.
By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
},
'Author' => [ 'toto' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2007-50
Exploit-DB
CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
exploitdb·2007-10-27
CVE-2007-5082 CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service
---
#!/usr/bin/perl
#
# *
# * C@@@@@ O@@@@@@@ C@@@@@ O@@@@@@O C@@@@@@@@@o
# * C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@o
# * C@@@@@@o .8@@@@@@. C@@@@@@o 8@@@@@@. @@@@@@O .@@o
# * C@@@@@ @@@@@@c C@@@@@ @@@@@@c C@@@@@c
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: @@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: 8@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: :@@@@@@ ::
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: c@@@@@@@Coo8@@@o
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: C@@@@@@@@@@@@o
# *
# * [0x00001010]
# *
# * Title: CA BrightStor HSM
# * Discovery: iDefense
# * Vulnerability Type: Remote Stack Overflow / DoS
# * Risk: High
# * TCP: 2000
# *
# * This body, this body holding me, be my reminder here that I am not alone.
# *
#
use IO::Socket;
$handshake
Metasploit
CA BrightStor HSM Buffer Overflow
metasploit
CA BrightStor HSM Buffer Overflow
CA BrightStor HSM Buffer Overflow
This module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
No writeups or analysis indexed.
http://dvlabs.tippingpoint.com/advisory/TPTI-07-16http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=601http://secunia.com/advisories/26914http://securitytracker.com/id?1018747http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asphttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35690http://www.securityfocus.com/archive/1/480808/100/0/threadedhttp://www.securityfocus.com/bid/25823http://www.vupen.com/english/advisories/2007/3275https://exchange.xforce.ibmcloud.com/vulnerabilities/36825http://dvlabs.tippingpoint.com/advisory/TPTI-07-16http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=601http://secunia.com/advisories/26914http://securitytracker.com/id?1018747http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asphttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35690http://www.securityfocus.com/archive/1/480808/100/0/threadedhttp://www.securityfocus.com/bid/25823http://www.vupen.com/english/advisories/2007/3275https://exchange.xforce.ibmcloud.com/vulnerabilities/36825
2007-10-01
Published