ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow Vulnerability
2007-05-11T00:00:00
ID SECURITYVULNS:DOC:16985 Type securityvulns Reporter Securityvulns Modified 2007-05-11T00:00:00
Description
ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-028.html
May 9, 2007
-- CVE ID:
CVE-2007-2522
-- Affected Vendor:
Computer Associates
-- Affected Products:
eTrust AntiVirus Server v8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since November 20, 2006 by Digital Vaccine protection
filter ID 4861. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Computer Associates AntiVirus Server. User
interaction is not required to exploit this vulnerability.
The specific flaw exists in the authentication function of the inoweb
service that listens by default on TCP port 12168. The function copies
both the username and password into fixed-length stack buffers. If an
attacker provides overly long values for these parameters, an
exploitable buffer overflow occurs.
-- Vendor Response:
Computer Associates has issued an update to correct this vulnerability.
More details can be found at:
-- Disclosure Timeline:
2006.11.06 - Vulnerability reported to vendor
2006.11.20 - Digital Vaccine released to TippingPoint customers
2007.05.09 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Tenable Network Security.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.
{"id": "SECURITYVULNS:DOC:16985", "bulletinFamily": "software", "title": "ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow Vulnerability", "description": "ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow\r\n Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-028.html\r\nMay 9, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-2522\r\n\r\n-- Affected Vendor:\r\nComputer Associates\r\n\r\n-- Affected Products:\r\neTrust AntiVirus Server v8\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since November 20, 2006 by Digital Vaccine protection\r\nfilter ID 4861. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows attackers to execute arbitrary code on\r\nvulnerable installations of Computer Associates AntiVirus Server. User\r\ninteraction is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists in the authentication function of the inoweb\r\nservice that listens by default on TCP port 12168. The function copies\r\nboth the username and password into fixed-length stack buffers. If an\r\nattacker provides overly long values for these parameters, an\r\nexploitable buffer overflow occurs.\r\n\r\n-- Vendor Response:\r\nComputer Associates has issued an update to correct this vulnerability.\r\nMore details can be found at:\r\n\r\nhttp://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp\r\n\r\n-- Disclosure Timeline:\r\n2006.11.06 - Vulnerability reported to vendor\r\n2006.11.20 - Digital Vaccine released to TippingPoint customers\r\n2007.05.09 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Tenable Network Security.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.", "published": "2007-05-11T00:00:00", "modified": "2007-05-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16985", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2007-2522"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:22", "edition": 1, "viewCount": 9, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2018-08-31T11:10:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2522"]}, {"type": "osvdb", "idList": ["OSVDB:34585"]}, {"type": "zdi", "idList": ["ZDI-07-028"]}, {"type": "saint", "idList": ["SAINT:9496E98B225498DF816E13CA57A0923E", "SAINT:AA5B5443BA3DEDE5C5C6C33A58D1F9FB", "SAINT:FB434663F7F5219EFBE3EB5E994385B0"]}, {"type": "nessus", "idList": ["CA_INOWEB_OVERFLOW.NASL"]}, {"type": "cert", "idList": ["VU:680616"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7696", "SECURITYVULNS:DOC:16995"]}], "modified": "2018-08-31T11:10:22", "rev": 2}, "vulnersScore": 8.4}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T05:31:23", "description": "Stack-based buffer overflow in the inoweb Console Server in CA Anti-Virus for the Enterprise r8, Threat Manager r8, Anti-Spyware for the Enterprise r8, and Protection Suites r3 allows remote attackers to execute arbitrary code via a long (1) username or (2) password.", "edition": 4, "cvss3": {}, "published": "2007-05-11T04:20:00", "title": "CVE-2007-2522", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-2522"], "modified": "2018-10-16T16:44:00", "cpe": ["cpe:/a:ca:antispyware_for_the_enterprise:8.0", "cpe:/a:ca:etrust_integrated_threat_management:8.0", "cpe:/a:ca:etrust_pestpatrol:8.0"], "id": "CVE-2007-2522", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2522", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ca:etrust_integrated_threat_management:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:etrust_pestpatrol:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ca:antispyware_for_the_enterprise:8.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2522"], "description": "Added: 05/25/2007 \nCVE: [CVE-2007-2522](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522>) \nBID: [23906](<http://www.securityfocus.com/bid/23906>) \nOSVDB: [34585](<http://www.osvdb.org/34585>) \n\n\n### Background\n\nMultiple CA products include the inoweb Console Server which listens for connections on port 12168/TCP. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted username to the inoweb service. \n\n### Resolution\n\nUse the product's automatic content update feature to fix the vulnerability as recommended in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2007-05/0175.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Integrated Threat Management r8. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-05-25T00:00:00", "published": "2007-05-25T00:00:00", "id": "SAINT:9496E98B225498DF816E13CA57A0923E", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ca_console_login", "type": "saint", "title": "CA Console Server username buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:50", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2522"], "edition": 2, "description": "Added: 05/25/2007 \nCVE: [CVE-2007-2522](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522>) \nBID: [23906](<http://www.securityfocus.com/bid/23906>) \nOSVDB: [34585](<http://www.osvdb.org/34585>) \n\n\n### Background\n\nMultiple CA products include the inoweb Console Server which listens for connections on port 12168/TCP. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted username to the inoweb service. \n\n### Resolution\n\nUse the product's automatic content update feature to fix the vulnerability as recommended in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2007-05/0175.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Integrated Threat Management r8. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-05-25T00:00:00", "published": "2007-05-25T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ca_console_login", "id": "SAINT:FB434663F7F5219EFBE3EB5E994385B0", "type": "saint", "title": "CA Console Server username buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2522"], "description": "Added: 05/25/2007 \nCVE: [CVE-2007-2522](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522>) \nBID: [23906](<http://www.securityfocus.com/bid/23906>) \nOSVDB: [34585](<http://www.osvdb.org/34585>) \n\n\n### Background\n\nMultiple CA products include the inoweb Console Server which listens for connections on port 12168/TCP. \n\n### Problem\n\nA buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a long, specially crafted username to the inoweb service. \n\n### Resolution\n\nUse the product's automatic content update feature to fix the vulnerability as recommended in the [CA Security Notice](<http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2007-05/0175.html> \n\n\n### Limitations\n\nExploit works on CA eTrust Integrated Threat Management r8. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-05-25T00:00:00", "published": "2007-05-25T00:00:00", "id": "SAINT:AA5B5443BA3DEDE5C5C6C33A58D1F9FB", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ca_console_login", "title": "CA Console Server username buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:42", "bulletinFamily": "info", "cvelist": ["CVE-2007-2522"], "description": "### Overview \n\nComputer Associates eTrust AntiVirus Server contains a buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code, or create a denial of service condition.\n\n### Description \n\nComputer Associates eTrust AntiVirus Server is an antivirus product distributed by Computer Associates. eTrust AntiVirus Server installs a service called inoweb that listens on port `12168/tcp.`\n\nThe inoweb process contains a stack based buffer overflow vulnerability. By sending a malformed packet to a vulnerable system, an attacker may be able to trigger the overflow. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code, or create a denial of service condition. \n \n--- \n \n### Solution \n\n**Upgrade** \n \nComputer Associates has released an update to address this vulnerability. This update is available as part of the automatic content update. See Computer Assoicates [secnotice050807](<http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp>) for more details. \n \n--- \n \n \n**Restrict access** \n \nUsing a host or network based firewall or access control list to restrict access to `12168/tcp `to trusted hosts may mitigate this vulnerability. \n \n--- \n \n### Vendor Information\n\n680616\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Computer Associates __ Affected\n\nUpdated: May 11, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp> for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23680616 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp>\n * <http://www.zerodayinitiative.com/advisories/ZDI-07-028.html>\n * <http://secunia.com/advisories/25202/>\n * <http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx>\n\n### Acknowledgements\n\nThanks to the Zero Day Initiative for information that was used in this report. The Zero Day Initiative credits Tenable Network Security for discovering this vulnerability.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-2522](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-2522>) \n---|--- \n**Severity Metric:** | 5.27 \n**Date Public:** | 2007-05-11 \n**Date First Published:** | 2007-05-11 \n**Date Last Updated: ** | 2007-05-11 17:40 UTC \n**Document Revision: ** | 17 \n", "modified": "2007-05-11T17:40:00", "published": "2007-05-11T00:00:00", "id": "VU:680616", "href": "https://www.kb.cert.org/vuls/id/680616", "type": "cert", "title": "Computer Associates eTrust AntiVirus Server buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:41:29", "bulletinFamily": "info", "cvelist": ["CVE-2007-2522"], "edition": 3, "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates AntiVirus Server. User interaction is not required to exploit this vulnerability. The specific flaw exists in the authentication function of the inoweb service that listens by default on TCP port 12168. The function copies both the username and password into fixed-length stack buffers. If an attacker provides overly long values for these parameters, an exploitable buffer overflow occurs.", "modified": "2007-06-22T00:00:00", "published": "2007-05-10T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-07-028/", "id": "ZDI-07-028", "title": "CA eTrust AntiVirus Server inoweb Buffer Overflow Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2007-2522"], "description": "## Vulnerability Description\nA buffer overflow exists in multiple CA products. The inoweb service fails to validate the username and password resulting in a buffer overflow. With a specially crafted username or password, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, CA has released a patch to address this vulnerability.\n## Short Description\nA buffer overflow exists in multiple CA products. The inoweb service fails to validate the username and password resulting in a buffer overflow. With a specially crafted username or password, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp)\nSecurity Tracker: 1018043\n[Secunia Advisory ID:25202](https://secuniaresearch.flexerasoftware.com/advisories/25202/)\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-07-028.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0163.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0175.html\nFrSIRT Advisory: ADV-2007-1750\n[CVE-2007-2522](https://vulners.com/cve/CVE-2007-2522)\nCERT VU: 680616\nBugtraq ID: 23906\n", "edition": 1, "modified": "2007-05-09T00:00:00", "published": "2007-05-09T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:34585", "id": "OSVDB:34585", "title": "CA Multiple Product Console Server Authentication Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T01:25:32", "description": "The version of CA Anti-Virus for the Enterprise, CA Threat Manager, or\nCA Anti-Spyware installed on the remote host is affected by a buffer\noverflow involving its Console Server component. By means of specially\ncrafted login credentials, a remote attacker can overflow a\nstack-based buffer in 'InoWeb.exe', leading to possible command\nexecution with the privileges under which the Web Access Service\noperates, LOCAL SYSTEM by default.", "edition": 26, "published": "2007-05-16T00:00:00", "title": "CA Multiple Products inoweb Console Server Authentication Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-2522"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "CA_INOWEB_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/25219", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25219);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-2522\");\n script_bugtraq_id(23906);\n script_xref(name:\"TRA\", value:\"TRA-2007-03\");\n\n script_name(english:\"CA Multiple Products inoweb Console Server Authentication Remote Overflow\");\n script_summary(english:\"Checks version of InoWeb.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by a\nbuffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of CA Anti-Virus for the Enterprise, CA Threat Manager, or\nCA Anti-Spyware installed on the remote host is affected by a buffer\noverflow involving its Console Server component. By means of specially\ncrafted login credentials, a remote attacker can overflow a\nstack-based buffer in 'InoWeb.exe', leading to possible command\nexecution with the privileges under which the Web Access Service\noperates, LOCAL SYSTEM by default.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2007-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-07-028/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/468304/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7c65683\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Ensure that automatic content updates are enabled for the eTrust ITM\nConsole Server component and running.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/16\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\n\n# Connect to the appropriate share.\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\nname = kb_smb_name();\nport = kb_smb_transport();\n\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\n\n# Get some info about the install.\npath = NULL;\n\nkey = \"SOFTWARE\\ComputerAssociates\\eTrustITM\\CurrentVersion\\Path\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n item = RegQueryValue(handle:key_h, item:\"HOME\");\n if (!isnull(item)) path = item[1];\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\n\n# If it is...\nif (path)\n{\n # Make sure the executable exists.\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n exe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\InoWeb.exe\", string:path);\n NetUseDel(close:FALSE);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(0);\n }\n\n fh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n }\n\n # There's a problem if the version is < 8.0.448.0.\n if (!isnull(ver))\n {\n fix = split(\"8.0.448.0\", sep:'.', keep:FALSE);\n for (i=0; i<4; i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n version = string(ver[0], \".\", ver[1], \".\", ver[2]);\n\n report = string(\n \"Version \", version, \" of the affected file (InoWeb.exe) is installed under :\\n\",\n \"\\n\",\n \" \", path, \"\\n\"\n );\n security_hole(port:port, extra:report);\n\n break;\n }\n else if (ver[i] > fix[i])\n break;\n }\n}\n\n\n# Clean up.\nNetUseDel();\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-2523", "CVE-2007-2522"], "description": "\r\nTitle: [CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and \r\nCA Anti-Spyware Console Login and File Mapping Vulnerabilities\r\n\r\nCA Vuln ID (CAID): 35330, 35331\r\n\r\nCA Advisory Date: 2007-05-09\r\n\r\nReported By: ZDI, iDefense\r\n\r\nImpact: Attackers can cause a denial of service or potentially \r\nexecute arbitrary code.\r\n\r\nSummary: CA Anti-Virus for the Enterprise, CA Threat Manager, and \r\nCA Anti-Spyware contain multiple vulnerabilities that can allow an \r\nattacker to cause a denial of service or possibly execute \r\narbitrary code. CA has issued patches to address the \r\nvulnerabilities.\r\n\r\nThe first vulnerability, CVE-2007-2522, is due to insufficient \r\nbounds checking on Console Server login credentials. A remote \r\nattacker can use carefully constructed authentication credentials \r\nto cause a stack based buffer overflow, which can potentially \r\nresult in arbitrary code execution.\r\n\r\nThe second vulnerability, CVE-2007-2523, is due to insufficient \r\nbounds checking in InoCore.dll. A local attacker can modify the \r\ncontents of a file mapping to cause a stack based buffer overflow, \r\nwhich can potentially result in arbitrary code execution. This \r\nissue only affects CA Anti-Virus for the Enterprise and CA Threat \r\nManager.\r\n\r\nMitigating Factors: For CVE-2007-2522, the vulnerability applies \r\nonly to an installation on the x86 platform with the Console \r\nServer installed.\r\n\r\nSeverity: CA has given these vulnerabilities a combined High risk \r\nrating.\r\n\r\nAffected Products:\r\nCA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8\r\nCA Threat Manager (formerly eTrust Integrated Threat Management) r8\r\nCA Anti-Spyware for the Enterprise (formerly eTrust PestPatrol) r8\r\nCA Protection Suites r3\r\n\r\nAffected Platforms:\r\nWindows\r\n\r\nStatus and Recommendation:\r\nCA has issued an update to address the vulnerabilities. The \r\npatched files are available as part of the product's automatic \r\ncontent update. The following components must be enabled in order \r\nto receive these updates: eTrust ITM Console Server must be \r\nenabled to receive InoWeb.exe updates, and eTrust ITM Common must \r\nbe enabled to receive InoCore.dll updates.\r\n\r\nHow to determine if the installation is affected:\r\n1. Using Windows Explorer, locate the files "InoWeb.exe" and \r\n "InoCore.dll". By default, the files are located in the \r\n "C:\Program Files\CA\eTrustITM" directory.\r\n2. Right click on each of the files and select Properties.\r\n3. Select the Version tab (or the Details tab if you are using \r\n Windows Vista).\r\n4. If either file version is earlier than indicated below, the \r\n installation is vulnerable.\r\n File Name File Version\r\n InoWeb.exe 8.0.448.0\r\n InoTask.dll 8.0.448.0\r\n\r\nWorkaround:\r\nIn situations where updating the product is not immediately \r\nfeasible, the following workaround can be used as a temporary \r\nmeasure to reduce exposure.\r\n\r\nFor CVE-2007-2522, filter access to TCP port 12168.\r\n\r\nReferences (URLs may wrap):\r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for this vulnerability:\r\nSecurity Notice for CA Anti-Virus for the Enterprise, CA Threat \r\nManager, and CA Anti-Spyware\r\nhttp://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp\r\nCA Security Advisor posting:\r\nCA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console \r\nLogin and File Mapping Vulnerabilities\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=139626\r\nCAID: 35330, 35331\r\nCAID Advisory links:\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35330\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35331\r\nReported By: iDefense\r\niDefense Advisory: 05.09.07 : Computer Associates eTrust \r\nInoTask.exe Antivirus Buffer Overflow Vulnerability \r\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=530\r\nReported By: ZDI\r\nZDI Advisory: ZDI-07-028\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-028.html\r\nCVE References: CVE-2007-2522, CVE-2007-2523\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2523\r\nOSVDB References: OSVDB-34585, OSVDB-34586\r\nhttp://osvdb.org/34585\r\nhttp://osvdb.org/34586\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to vuln AT ca DOT com, or utilize our "Submit a \r\nVulnerability" form. \r\nURL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright (c) 2007 CA. All rights reserved.", "edition": 1, "modified": "2007-05-12T00:00:00", "published": "2007-05-12T00:00:00", "id": "SECURITYVULNS:DOC:16995", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16995", "title": "[CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "cvelist": ["CVE-2007-2523", "CVE-2007-2522"], "description": "Local buffer overflow in task scheduler, remote buffer overflow in antiviral server (TCP/12168).", "edition": 1, "modified": "2007-05-12T00:00:00", "published": "2007-05-12T00:00:00", "id": "SECURITYVULNS:VULN:7696", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7696", "title": "CA eTrust antivirus multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
