cbcvebase.
CVE-2007-5082
published 2007-10-01

CVE-2007-5082: Multiple stack-based buffer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.46%
99.1th percentile
Multiple stack-based buffer overflows in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary code via unspecified CsAgent service commands with certain opcodes, related to missing validation of a length parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_hierarchical_storage_manager

Detection & IOCsextracted from sources · hover to see the quote

port2000/TCP
port2000/TCP
otherReturn address: 0x12014c78 (pop/pop/ret in fpparser.dll)
command[42,7,0,0].pack('VVVV') + payload.encoded + "\xeb\x06" + Rex::Text.rand_text_alphanumeric(2) + [ target.ret ].pack('V') + "\xe9\xf1\xfb\xff\xff"
bytes
\x14\x00\x00\x00\x42\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\x40\x05\x00\x00\x1D\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  • Detect exploit attempts against CA BrightStor HSM CsAgent service by monitoring TCP port 2000 for connections containing the INIT_BEGIN handshake magic bytes (\x14\x00\x00\x00) followed by opcode \x42\x00\x00\x00 (FX_SET_CONSOLE_CREDENTIALS) and large oversized payloads (~1232+ bytes of repeated 0x41).
  • The exploit damage packet begins with \x40\x05\x00\x00\x1D\x00\x00\x00 on TCP/2000; a Snort/Suricata content match on this byte sequence in the payload can identify the overflow attempt.
  • The Metasploit module targets fpparser.dll return address 0x12014c78 (pop/pop/ret gadget); memory forensics or crash analysis showing EIP=0x12014c78 on the CsAgent process indicates exploitation of this CVE.
  • The Metasploit exploit payload structure includes the short JMP opcode \xeb\x06 followed by a 4-byte return address and a long backward JMP \xe9\xf1\xfb\xff\xff; these bytes in sequence on TCP/2000 traffic are a strong indicator of exploitation.
  • The vulnerability is in the CsAgent service; missing length parameter validation means any TCP/2000 request with a length field significantly larger than expected (e.g., 0x0540 = 1344 bytes as seen in the damage packet header) should be flagged.
  • ·The Metasploit module notes that NX bypass requires bruteforcing ntdll addresses because the process restarts; the hardcoded return address 0x12014c78 is specific to fpparser.dll from 2004 and may not apply to all patch levels of HSM 11.5.
  • ·The payload bad characters are \x00, \x0a, \x0d, and semicolon (;); shellcode used against this service must avoid these bytes or encoding will be required.
  • ·The exploit targets CA BrightStor HSM versions before r11.6 only; systems patched to r11.6 or later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.