CVE-2008-1472
published 2008-03-24CVE-2008-1472: Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.01%
98.4th percentile
Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| computer_associates | brightstor_arcserve_backup_laptops_desktops | — | — |
| computer_associates | desktop_management_suite | — | — |
| computer_associates | desktop_management_suite | — | — |
| computer_associates | unicenter_dsm_r11_list_control_atx | — | — |
| unicenter | asset_management | — | — |
| unicenter | asset_management | — | — |
| unicenter | desktop_management_bundle | — | — |
| unicenter | desktop_management_bundle | — | — |
| unicenter | remote_control | — | — |
| unicenter | remote_control | — | — |
| unicenter | software_delivery | — | — |
| unicenter | software_delivery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by its CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3} (ListCtrl.ocx) in HTML/script content — a browser loading this CLSID is a strong indicator of exploitation attempt. ↗
- →Monitor calls to the AddColumn() method on the ListCtrl ActiveX control with arguments exceeding 128 characters; the overflow is triggered by an overly long first argument. ↗
- →Heap spray targeting address 0x0A0A0A0A with block size 0x400000 is used in both the public PoC and Metasploit module; detect the characteristic %u0A0A%u0A0A unescape pattern in JavaScript delivered via HTTP. ↗
- ·The Metasploit module targets only Windows XP SP2-SP3 with IE 6.0/7.0; the hardcoded return address 0x0A0A0A0A is heap-spray dependent and will not reliably work on other OS/browser combinations. ↗
- ·The payload space is limited to 1024 bytes with null bytes as bad characters; payloads larger than this or containing \x00 will fail. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2h35-rff7-6q25: Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl
ghsa_unreviewed·2022-05-01
CVE-2008-1472 [HIGH] CWE-119 GHSA-2h35-rff7-6q25: Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl
Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.
VulnCheck
computer_associates brightstor_arcserve_backup_laptops_desktops Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2008·CVSS 9.3
CVE-2008-1472 [CRITICAL] computer_associates brightstor_arcserve_backup_laptops_desktops Improper Restriction of Operations within the Bounds of a Memory Buffer
computer_associates brightstor_arcserve_backup_laptops_desktops Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.
Affected: computer_associates brightstor_arcserve_backup_laptops_desktops
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/v
No detection rules found.
Exploit-DB
ZeroLogon - Netlogon Elevation of Privilege
exploitdb·2020-11-18·CVSS 5.5
CVE-2020-1472 [MEDIUM] ZeroLogon - Netlogon Elevation of Privilege
ZeroLogon - Netlogon Elevation of Privilege
---
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impack
Exploit-DB
CA BrightStor ARCserve Backup - 'AddColumn()' ActiveX Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2008-1472 CA BrightStor ARCserve Backup - 'AddColumn()' ActiveX Buffer Overflow (Metasploit)
CA BrightStor ARCserve Backup - 'AddColumn()' ActiveX Buffer Overflow (Metasploit)
---
##
# $Id: ca_brightstor_addcolumn.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow',
'Description' => %q{
The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based
buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker
could overflow a buffer and execute arbitrary code on the
Exploit-DB
S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service
exploitdb·2008-06-15
CVE-2008-6702 S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service
S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service
---
// source: https://www.securityfocus.com/bid/29723/info
S.T.A.L.K.E.R. game servers are prone to a remote denial-of-service vulnerability because the software fails to handle exceptional conditions when processing user nicknames.
Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users.
/*
by Luigi Auriemma
*/
#include
#include
#include
#include
#include
#ifdef WIN32
#include
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include
#include
#include
#include
#include
#include
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define BUFFSZ 1472
#define P
Exploit-DB
CA BrightStor ARCserve Backup r11.5 - ActiveX Remote Buffer Overflow
exploitdb·2008-03-16
CVE-2008-1472 CA BrightStor ARCserve Backup r11.5 - ActiveX Remote Buffer Overflow
CA BrightStor ARCserve Backup r11.5 - ActiveX Remote Buffer Overflow
---
Tested on:
- CA BrightStor ARCserve Backup r11.5 (ftp://ftp.ca.com/priv/trial/BABr11/BABLDr115/BABLDr115.zip)
- IE 6
- XP SP2 Polish
Details:..
Filename: CA\DSM\bin\ListCtrl.ocx
File description: Unicenter DSM r11 List Control ATX
CLSID: {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}
ProgID: LISTCTRL.ListCtrlCtrl.1
Version: 11.2.3.1895
Company: CA
AddColumn(%u4141%u4141..[128], 1);
Exception C0000005 (ACCESS_VIOLATION reading [41414141])
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
ESP=0012A9C4: BF 37 90 7C AC AA 12 00-9
Metasploit
CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
metasploit
CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow
The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
[HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, phishing scams.
The key findings in this quarter’s report in summary are:
1. After Q4 saw an increase in malicious URLs, ending a trend of decreasing malicious URLs starting in Q1 and continuing through Q3.
2. For the first time in our tracking, the United States is not the number one
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: May 30, 2019
Malware
Trend Reports
Vulnerabilities
Azorult
CVE-2018-8174
ELink
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, ph
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspxhttp://secunia.com/advisories/29408http://www.securityfocus.com/archive/1/489893/100/0/threadedhttp://www.securityfocus.com/archive/1/490263/100/0/threadedhttp://www.securityfocus.com/bid/28268http://www.securitytracker.com/id?1019617http://www.vupen.com/english/advisories/2008/0902/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41225https://www.exploit-db.com/exploits/5264http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspxhttp://secunia.com/advisories/29408http://www.securityfocus.com/archive/1/489893/100/0/threadedhttp://www.securityfocus.com/archive/1/490263/100/0/threadedhttp://www.securityfocus.com/bid/28268http://www.securitytracker.com/id?1019617http://www.vupen.com/english/advisories/2008/0902/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41225https://www.exploit-db.com/exploits/5264
2008-03-24
Published
Exploited in the wild