CA XOsoft is storage and recovery management software that includes applications for combined business continuity and disaster recovery. The CA XOsoft product family includes CA XOsoft Replication, CA XOsoft High Availability, and CA XOsoft Content Distribution.
Problem
Control Service r12 and Control Service r12.5 included in the CA XOsoft Replication, High Availability, and Content Distribution products with versions r12 and r12.5 are vulnerable to a stack buffer overflow as a result of overly long data passed to /entry_point.aspx. A successful attacker could execute arbitrary code with the permissions of the CA Control Service process.
Resolution
Apply the patches referenced in CA Security Notice for CA XOsoft CA20100406-01.
References
<http://secunia.com/advisories/39337/>
Limitations
Exploit works on CA XOsoft Control Service r12.5.
Platforms
Windows
{"id": "SAINT:4416EDF49F321DF0E51156FBAE2E3CF3", "bulletinFamily": "exploit", "title": "CA XOsoft Control Service entry_point.aspx Remote Code Execution", "description": "Added: 06/07/2010 \nCVE: [CVE-2010-1223](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1223>) \nBID: [39238](<http://www.securityfocus.com/bid/39238>) \nOSVDB: [63611](<http://www.osvdb.org/63611>) \n\n\n### Background\n\n[CA XOsoft](<http://www.ca.com/ca/en/products/Product.aspx?ID=8232>) is storage and recovery management software that includes applications for combined business continuity and disaster recovery. The CA XOsoft product family includes CA XOsoft Replication, CA XOsoft High Availability, and CA XOsoft Content Distribution. \n\n### Problem\n\nControl Service r12 and Control Service r12.5 included in the CA XOsoft Replication, High Availability, and Content Distribution products with versions r12 and r12.5 are vulnerable to a stack buffer overflow as a result of overly long data passed to **`/entry_point.aspx`**. A successful attacker could execute arbitrary code with the permissions of the CA Control Service process. \n\n### Resolution\n\nApply the patches referenced in CA Security Notice for CA XOsoft [CA20100406-01](<https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869>). \n\n### References\n\n<http://secunia.com/advisories/39337/> \n\n\n### Limitations\n\nExploit works on CA XOsoft Control Service r12.5. \n\n### Platforms\n\nWindows \n \n\n", "published": "2010-06-07T00:00:00", "modified": "2010-06-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ca_xosoft_entrypointaspx_bo", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2010-1223"], "type": "saint", "lastseen": "2019-06-04T23:19:35", "edition": 4, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1223"]}, {"type": "saint", "idList": ["SAINT:7377A7447F1AB9E83F9427E238CBEA52", "SAINT:235E6D9888C25D298795507F959412EA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10748", "SECURITYVULNS:DOC:23586", "SECURITYVULNS:DOC:23584", "SECURITYVULNS:DOC:23585"]}, {"type": "d2", "idList": ["D2SEC_CAXOSOFT"]}, {"type": "zdi", "idList": ["ZDI-10-066", "ZDI-10-065"]}, {"type": "nessus", "idList": ["CA_XOSOFT_MULTIPLE_FLAWS.NASL"]}], "modified": "2019-06-04T23:19:35", "rev": 2}, "score": {"value": 9.6, "vector": "NONE", "modified": "2019-06-04T23:19:35", "rev": 2}, "vulnersScore": 9.6}, "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:44:57", "description": "Multiple buffer overflows in CA XOsoft r12.0 and r12.5 allow remote attackers to execute arbitrary code via (1) a malformed request to the ws_man/xosoapapi.asmx SOAP endpoint or (2) a long string to the entry_point.aspx service.", "edition": 4, "cvss3": {}, "published": "2010-04-07T15:30:00", "title": "CVE-2010-1223", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1223"], "modified": "2018-10-10T19:56:00", "cpe": ["cpe:/a:ca:xosoft_replication:r12.5", "cpe:/a:ca:xosoft_content_distribution:r12.0", "cpe:/a:ca:xosoft_high_availability:r12.5", "cpe:/a:ca:xosoft_replication:r12.0", "cpe:/a:ca:xosoft_content_distribution:r12.5", "cpe:/a:ca:xosoft_high_availability:r12.0"], "id": "CVE-2010-1223", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1223", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ca:xosoft_high_availability:r12.5:*:*:*:*:*:*:*", "cpe:2.3:a:ca:xosoft_replication:r12.5:*:*:*:*:*:*:*", "cpe:2.3:a:ca:xosoft_content_distribution:r12.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:xosoft_high_availability:r12.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:xosoft_replication:r12.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:xosoft_content_distribution:r12.5:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:01", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1223"], "description": "Added: 06/07/2010 \nCVE: [CVE-2010-1223](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1223>) \nBID: [39238](<http://www.securityfocus.com/bid/39238>) \nOSVDB: [63611](<http://www.osvdb.org/63611>) \n\n\n### Background\n\n[CA XOsoft](<http://www.ca.com/ca/en/products/Product.aspx?ID=8232>) is storage and recovery management software that includes applications for combined business continuity and disaster recovery. The CA XOsoft product family includes CA XOsoft Replication, CA XOsoft High Availability, and CA XOsoft Content Distribution. \n\n### Problem\n\nControl Service r12 and Control Service r12.5 included in the CA XOsoft Replication, High Availability, and Content Distribution products with versions r12 and r12.5 are vulnerable to a stack buffer overflow as a result of overly long data passed to **`/entry_point.aspx`**. A successful attacker could execute arbitrary code with the permissions of the CA Control Service process. \n\n### Resolution\n\nApply the patches referenced in CA Security Notice for CA XOsoft [CA20100406-01](<https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869>). \n\n### References\n\n<http://secunia.com/advisories/39337/> \n\n\n### Limitations\n\nExploit works on CA XOsoft Control Service r12.5. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "SAINT:7377A7447F1AB9E83F9427E238CBEA52", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ca_xosoft_entrypointaspx_bo", "type": "saint", "title": "CA XOsoft Control Service entry_point.aspx Remote Code Execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1223"], "edition": 2, "description": "Added: 06/07/2010 \nCVE: [CVE-2010-1223](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1223>) \nBID: [39238](<http://www.securityfocus.com/bid/39238>) \nOSVDB: [63611](<http://www.osvdb.org/63611>) \n\n\n### Background\n\n[CA XOsoft](<http://www.ca.com/ca/en/products/Product.aspx?ID=8232>) is storage and recovery management software that includes applications for combined business continuity and disaster recovery. The CA XOsoft product family includes CA XOsoft Replication, CA XOsoft High Availability, and CA XOsoft Content Distribution. \n\n### Problem\n\nControl Service r12 and Control Service r12.5 included in the CA XOsoft Replication, High Availability, and Content Distribution products with versions r12 and r12.5 are vulnerable to a stack buffer overflow as a result of overly long data passed to **`/entry_point.aspx`**. A successful attacker could execute arbitrary code with the permissions of the CA Control Service process. \n\n### Resolution\n\nApply the patches referenced in CA Security Notice for CA XOsoft [CA20100406-01](<https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869>). \n\n### References\n\n<http://secunia.com/advisories/39337/> \n\n\n### Limitations\n\nExploit works on CA XOsoft Control Service r12.5. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-07T00:00:00", "published": "2010-06-07T00:00:00", "id": "SAINT:235E6D9888C25D298795507F959412EA", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ca_xosoft_entrypointaspx_bo", "type": "saint", "title": "CA XOsoft Control Service entry_point.aspx Remote Code Execution", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "d2": [{"lastseen": "2019-05-29T17:19:08", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1223"], "description": "**Name**| d2sec_caxosoft \n---|--- \n**CVE**| CVE-2010-1223 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| CA XOsoft Control Service entry_point.aspx Remote Stack Overflow Vulnerability \n**Notes**| \n", "edition": 2, "modified": "2010-04-07T15:30:00", "published": "2010-04-07T15:30:00", "id": "D2SEC_CAXOSOFT", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_caxosoft", "title": "DSquare Exploit Pack: D2SEC_CAXOSOFT", "type": "d2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:41:26", "bulletinFamily": "info", "cvelist": ["CVE-2010-1223"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates XOsoft Control Replication and High Availability Control Service. Authentication is not required to exploit this vulnerability. The specific flaws exist within the /ws_man/xosoapapi.asmx SOAP endpoint and occur when submitting malformed requests to the server. Successful exploitation can lead to code execution under the context of the service.", "modified": "2010-06-22T00:00:00", "published": "2010-04-06T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-065/", "id": "ZDI-10-065", "title": "CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:41:08", "bulletinFamily": "info", "cvelist": ["CVE-2010-1223"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates XOsoft Control Replication and High Availability Control Service. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /entry_point.aspx service and occurs due to an unbounded string copy utilizing a string controlled by the user as the source into a fixed length buffer located on the stack. Successful exploitation can lead to code execution under the context of the service.", "modified": "2010-06-22T00:00:00", "published": "2010-04-06T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-066/", "id": "ZDI-10-066", "title": "CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1223"], "description": "ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-066\r\nApril 6, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1223 \r\n\r\n-- Affected Vendors:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nComputer Associates XOsoft High Availability\r\nComputer Associates XOsoft Replication\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9493. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates XOsoft Control\r\nReplication and High Availability Control Service. Authentication is not\r\nrequired to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the /entry_point.aspx service and occurs\r\ndue to an unbounded string copy utilizing a string controlled by the\r\nuser as the source into a fixed length buffer located on the stack.\r\nSuccessful exploitation can lead to code execution under the context of\r\nthe service.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869\r\n\r\n-- Disclosure Timeline:\r\n2009-12-16 - Vulnerability reported to vendor\r\n2010-04-06 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Andrea Micalizzi aka rgod\r\n * AbdulAziz Hariri\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "id": "SECURITYVULNS:DOC:23585", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23585", "title": "ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1223"], "description": "ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-065\r\nApril 6, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-1223\r\n\r\n-- Affected Vendors:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\nComputer Associates XOsoft High Availability\r\nComputer Associates XOsoft Replication\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9504,9507. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates XOsoft Control\r\nReplication and High Availability Control Service. Authentication is not\r\nrequired to exploit this vulnerability.\r\n\r\nThe specific flaws exist within the /ws_man/xosoapapi.asmx SOAP endpoint\r\nand occur when submitting malformed requests to the server. Successful\r\nexploitation can lead to code execution under the context of the\r\nservice.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869\r\n\r\n-- Disclosure Timeline:\r\n2009-12-16 - Vulnerability reported to vendor\r\n2010-04-06 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Andrea Micalizzi aka rgod\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "id": "SECURITYVULNS:DOC:23586", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23586", "title": "ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2010-1222", "CVE-2010-1221", "CVE-2010-1223"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCA20100406-01: Security Notice for CA XOsoft\r\n\r\nIssued: April 6, 2010\r\n\r\nCA's support is alerting customers to multiple security risks with CA\r\nXOsoft products. Multiple vulnerabilities exist that can allow a\r\nremote attacker to gain sensitive information, cause a denial of\r\nservice, or possibly execute arbitrary code. CA has issued patches\r\nto address the vulnerabilities.\r\n\r\nThe first vulnerability, CVE-2010-1221, occurs due to a lack of\r\nauthentication. An attacker can make a SOAP request to enumerate user\r\nnames. This vulnerability has a low risk rating and affects r12.0 and\r\nr12.5 XOsoft products.\r\n\r\nThe second vulnerability, CVE-2010-1222, occurs due to a lack of\r\nauthentication. An attacker can make a SOAP request to gain\r\npotentially sensitive information. This vulnerability has a low risk\r\nrating and affects only r12.5 XOsoft products.\r\n\r\nThe third set of vulnerabilities, CVE-2010-1223, occurs due to\r\ninsufficient bounds checking. An attacker can make a request that can\r\ncause a buffer overflow which may result in a crash or possibly code\r\nexecution. These vulnerabilities have a high risk rating and affect\r\nr12.0 and r12.5 XOsoft products.\r\n\r\nRisk Rating\r\n\r\nHigh\r\n\r\nPlatform\r\n\r\nWindows\r\n\r\nAffected Products\r\n\r\nCA XOsoft Replication r12.5\r\nCA XOsoft High Availability r12.5\r\nCA XOsoft Content Distribution r12.5\r\nCA XOsoft Replication r12.0\r\nCA XOsoft High Availability r12.0\r\nCA XOsoft Content Distribution r12.0\r\n\r\nNon-Affected Products\r\n\r\nCA XOsoft Replication r4\r\nCA XOsoft High Availability r4\r\nCA XOsoft Content Distribution r4\r\n\r\nHow to determine if the installation is affected\r\n\r\n1. Using Windows Explorer, locate the files "mng_core_com.dll". By\r\ndefault, the file is located in the\r\n"C:\Program Files\CA\XOsoft\Manager" directory.\r\n2. Right click on the file and select Properties.\r\n3. Select the Version tab.\r\n4. If the file version is previous than indicated in the below table,\r\nthe installation is vulnerable.\r\n\r\nProduct\r\nFile Name\r\nFile Version\r\n\r\nXOsoft 12.5 products\r\nmng_core_com.dll\r\n12.5.2.563\r\n\r\nXOsoft 12.0 products\r\nmng_core_com.dll\r\n5.0.5.128\r\n\r\nSolution\r\n\r\nCA issued the following patches to address the vulnerabilities.\r\n\r\nCA XOsoft Replication r12.5,\r\nCA XOsoft High Availability r12.5,\r\nCA XOsoft Content Distribution r12.5:\r\nRO15016\r\n\r\nCA XOsoft Replication r12.0,\r\nCA XOsoft High Availability r12.0,\r\nCA XOsoft Content Distribution r12.0:\r\nRO16643\r\n\r\nReferences\r\n\r\nCVE-2010-1221 - username enumeration\r\nCVE-2010-1222 - information disclosure\r\nCVE-2010-1223 - buffer overflows\r\n\r\nCA20100406-01: Security Notice for CA XOsoft\r\n(line wraps)\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=23\r\n2869\r\n\r\nAcknowledgement\r\n\r\nCVE-2010-1221, CVE-2010-1222, CVE-2010-1223 - Andrea Micalizzi aka\r\nrgod reported through the TippingPoint ZDI program\r\n\r\nChange History\r\n\r\nVersion 1.0: Initial Release\r\n\r\nIf additional information is required, please contact CA Support at\r\nhttp://support.ca.com/\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to the CA Product Vulnerability Response Team.\r\n(line wraps)\r\nhttps://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17\r\n7782\r\n\r\nKevin Kotas\r\nCA Product Vulnerability Response Team\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQEVAwUBS7txcJI1FvIeMomJAQEvnQf/ZQ+LZTLLRETjr06imXzcuT1KtlsvpLQj\r\ns+h0HfJO36QYYHWpBENRIJliSQJqQSRY1Jzh0Zy2Ilxu4j5/sJsZS7QhCw+JXiP5\r\nFHY+Hg6xkSazYkS2/9RAZWj47CYK/xg+PRhLcK6+WNwhvNDBj/sHCi+Ub8U9f+h3\r\nK5qV9Lr4PrDJt5VZog41mqCSmRBvRmtKtEWm4nBp4ebE0drzzoscANBxTs60kExi\r\nl8cMGoQR8OpHfHDTk70iRxN8+JDHNEI4qObgK1tgugq7TLrflk2Ts1pUKnxopXP2\r\nL6TY+2ofP4L2dCxWDcb1FtYYNM34iHMnNXQa+tmSmyPqT9FIcu15CA==\r\n=CUG9\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "id": "SECURITYVULNS:DOC:23584", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23584", "title": "CA20100406-01: Security Notice for CA XOsoft", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "cvelist": ["CVE-2010-1222", "CVE-2010-1186", "CVE-2010-0400", "CVE-2010-1221", "CVE-2010-1223"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2010-04-07T00:00:00", "published": "2010-04-07T00:00:00", "id": "SECURITYVULNS:VULN:10748", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10748", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T01:26:56", "description": "XOsoft, a product from Computer Associates for combined business\ncontinuity and disaster recovery, is installed on the remote Windows\nhost. \n\nAccording to its version, it is affected by several vulnerabilities. \n\n - By sending a specially crafted SOAP request, it may be \n possible for an unauthenticated attacker to enumerate \n users on the remote system. (CVE-2010-1221)\n\n - By sending a specially crafted SOAP request, it may be \n possible for an unauthenticated attacker to gain \n sensitive information from the remote system. \n (CVE-2010-1222)\n\n - By sending a specially crafted request, it may be \n possible for an attacker to execute arbitrary code on\n the remote system within the context of the service or \n trigger a denial of service condition. (CVE-2010-1223)", "edition": 27, "published": "2010-04-13T00:00:00", "title": "Computer Associates XOsoft Multiple Flaws (CA20100406) (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1222", "CVE-2010-1221", "CVE-2010-1223"], "modified": "2021-04-02T00:00:00", "cpe": [], "id": "CA_XOSOFT_MULTIPLE_FLAWS.NASL", "href": "https://www.tenable.com/plugins/nessus/45503", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45503);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2010-1221\", \"CVE-2010-1222\", \"CVE-2010-1223\");\n script_bugtraq_id(39238, 39244, 39249);\n script_xref(name:\"Secunia\", value:\"39337\");\n\n script_name(english:\"Computer Associates XOsoft Multiple Flaws (CA20100406) (credentialed check)\");\n script_summary(english:\"Checks version of mng_core_com.dl\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains an application that is affected by\nmultiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"XOsoft, a product from Computer Associates for combined business\ncontinuity and disaster recovery, is installed on the remote Windows\nhost. \n\nAccording to its version, it is affected by several vulnerabilities. \n\n - By sending a specially crafted SOAP request, it may be \n possible for an unauthenticated attacker to enumerate \n users on the remote system. (CVE-2010-1221)\n\n - By sending a specially crafted SOAP request, it may be \n possible for an unauthenticated attacker to gain \n sensitive information from the remote system. \n (CVE-2010-1222)\n\n - By sending a specially crafted request, it may be \n possible for an attacker to execute arbitrary code on\n the remote system within the context of the service or \n trigger a denial of service condition. (CVE-2010-1223)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-065/\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-066/\" );\n # https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cc6c8832\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/Apr/82\");\n\n script_set_attribute(attribute:\"solution\", value: \"Apply vendor-supplied patches.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2010/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2)\n{\n port = get_http_port(default:8088);\n\n banner = get_http_banner(port:port);\n if (!banner) exit(1, \"Unable to get banner from web server on port \"+port+\".\");\n if(!egrep(pattern:\"^Server:.*Microsoft-HTTPAPI/\",string:banner))\n exit(0,\"The banner from the web server on port \"+ port + \" does not appear to be from XOsoft.\");\n\n url = \"/entry_point.aspx?width=1440\";\n\n res = http_send_recv3(method:\"GET\", item:url, port:port,exit_on_fail:1);\n\n if (\"Login to CA XOsoft\" >!< res[2])\n exit (0, \"The web application running on port \"+ port + \" does not appear to be XOsoft.\");\n}\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1,\"The 'SMB/Registry/Enumerated' KB item is missing.\");\n\n# Connect to the appropriate share.\nname = kb_smb_name();\nport = kb_smb_transport();\nif (!get_port_state(port)) exit(1, \"Port \"+port+\" is not open.\");\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1,\"Can't open socket on port \"+port+\".\");\n\nsession_init(socket:soc, hostname:name);\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1) \n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\n# Find where it's installed.\npath = NULL;\n\nkey = \"SOFTWARE\\CA\\XOsoft\\Manager\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Install_Dir\");\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\nif (isnull(path))\n{\n NetUseDel();\n exit(0, \"XOsoft product is not installed..\");\n}\n\n# Grab the file version of file mng_core_com.dll.\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\ndll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\mng_core_com.dll\", string:path);\nNetUseDel(close:FALSE);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to \"+share+\" share.\");\n}\n\nfh = CreateFile(\n file:dll,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\n\nver = NULL;\n\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\n\nNetUseDel();\n\n# Check the version number.\nif (!isnull(ver))\n{\n if(ver[0] == 5) \n fixed_version = \"5.0.5.128\"; # 12.0\n else if (ver[0] == 12 && ver[1] == 5)\n fixed_version = \"12.5.2.563\"; # 12.5\n # Do not flag versions other than 12.0 and 12.5\n # as they might not be affected.\n else \n exit(0, \"XOsoft version \"+ join(ver,sep:\".\") + \" is not known to be affected.\");\n \n version = join(ver, sep:\".\");\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n if (report_verbosity > 0)\n {\n report = \n \"\\n Path : \" + path + \n \"\\n Installed version : \" + version + \n \"\\n Fixed version : \" + fixed_version + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n }\n else if (ver[i] > fix[i])\n break;\n\n exit(0, \"XOsoft version \"+version+\" is installed and not vulnerable.\");\n}\nelse exit(1, \"Couldn't get file version of '\"+(share-'$')+\":\"+dll+\"'.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
