cbcvebase.
CVE-2008-4397
published 2008-10-14

CVE-2008-4397: Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.54%
99.6th percentile
Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to execute arbitrary commands via a .. (dot dot) in an RPC call with opnum 0x10A.

Affected

6 ranges
VendorProductVersion rangeFixed in
broadcomarcserve_backup
broadcombusiness_protection_suite
broadcomserver_protection_suite
caarcserve_backup
caarcserve_backup
cabusiness_protection_suite

Detection & IOCsextracted from sources · hover to see the quote

port6504
commandopnum 0x10A (directory traversal RPC call)
commandopcode 0x342 (REPORTREMOTEEXECUTECML RPC call)
otherRPC interface UUID: 506b1890-14c8-11d1-bbc3-00805fa6962e v1.0
pathasdbapi.dll
otherReturn address: 0x2123bdf4 (ASCORE.dll 11.5.3884.0)
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect RPC calls over TCP port 6504 targeting UUID 506b1890-14c8-11d1-bbc3-00805fa6962e with opcode 0x342 (REPORTREMOTEEXECUTECML) or opnum 0x10A, which are the two attack vectors for this CVE.
  • The exploit payload contains bad characters \x00\x0a\x0d\x5c\x5f\x2f\x2e and a stack-adjustment prepend encoder stub \x81\xc4\xff\xef\xff\xff\x44; scanning for this byte sequence in RPC traffic on port 6504 can identify exploitation attempts.
  • The vulnerable component is asdbapi.dll loaded by CA ARCserve Backup; presence of this DLL processing remote RPC calls should be monitored for unexpected child process creation (e.g., cmd.exe spawned by the ARCserve service).
  • ·The Metasploit module targets a specific build of BrightStor ARCserve r11.5 (build 3884) with a hardcoded return address in ASCORE.dll; the exploit will not work as-is against other builds or versions without retargeting.
  • ·The exploit requires the attacker to supply the NetBIOS hostname of the target (HNAME) as a mandatory argument; exploitation will fail without it.
  • ·The OS-specific directory path (winnt vs windows) and SEH payload offset differ between Windows 2000 (offset 442) and Windows XP (offset 436); the module explicitly rejects other OS targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.