cbcvebase.
CVE-2008-1472
published 2008-03-24

CVE-2008-1472: Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.01%
98.4th percentile
Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.

Affected

12 ranges
VendorProductVersion rangeFixed in
computer_associatesbrightstor_arcserve_backup_laptops_desktops
computer_associatesdesktop_management_suite
computer_associatesdesktop_management_suite
computer_associatesunicenter_dsm_r11_list_control_atx
unicenterasset_management
unicenterasset_management
unicenterdesktop_management_bundle
unicenterdesktop_management_bundle
unicenterremote_control
unicenterremote_control
unicentersoftware_delivery
unicentersoftware_delivery

Detection & IOCsextracted from sources · hover to see the quote

filenameListCtrl.ocx
pathCA\DSM\bin\ListCtrl.ocx
other{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}
otherLISTCTRL.ListCtrlCtrl.1
commandAddColumn(%u4141%u4141..[128], 1)
urlftp://ftp.ca.com/priv/trial/BABr11/BABLDr115/BABLDr115.zip
  • Detect instantiation of the vulnerable ActiveX control by its CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3} (ListCtrl.ocx) in HTML/script content — a browser loading this CLSID is a strong indicator of exploitation attempt.
  • Monitor calls to the AddColumn() method on the ListCtrl ActiveX control with arguments exceeding 128 characters; the overflow is triggered by an overly long first argument.
  • Heap spray targeting address 0x0A0A0A0A with block size 0x400000 is used in both the public PoC and Metasploit module; detect the characteristic %u0A0A%u0A0A unescape pattern in JavaScript delivered via HTTP.
  • ·The Metasploit module targets only Windows XP SP2-SP3 with IE 6.0/7.0; the hardcoded return address 0x0A0A0A0A is heap-spray dependent and will not reliably work on other OS/browser combinations.
  • ·The payload space is limited to 1024 bytes with null bytes as bad characters; payloads larger than this or containing \x00 will fail.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.