Vulnerabilities > CVE-2005-0581 - Unspecified vulnerability in Broadcom License Software 0.1.0.15

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
broadcom
nessus
exploit available
metasploit
NVD
Published: 2005-05-02
Updated: 2021-04-09

Summary

Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.

Vulnerable Configurations

Part Description Count
Application
Broadcom
1

Exploit-Db

  • descriptionComputer Associates License Server GETCONFIG Overflow. CVE-2005-0581. Remote exploit for windows platform
    idEDB-ID:16745
    last seen2016-02-02
    modified2010-09-20
    published2010-09-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16745/
    titleComputer Associates License Server GETCONFIG Overflow
  • descriptionComputer Associates License Client GETCONFIG Overflow. CVE-2005-0581. Remote exploit for windows platform
    idEDB-ID:16744
    last seen2016-02-02
    modified2010-09-20
    published2010-09-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16744/
    titleComputer Associates License Client GETCONFIG Overflow
  • descriptionCA License Server (GETCONFIG) Remote Buffer Overflow Exploit (c). CVE-2005-0581,CVE-2005-0582. Remote exploit for windows platform
    idEDB-ID:859
    last seen2016-01-31
    modified2005-03-06
    published2005-03-06
    reporterclass101
    sourcehttps://www.exploit-db.com/download/859/
    titleCA License Server GETCONFIG Remote Buffer Overflow Exploit c
  • descriptionCA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow. CVE-2005-0581. Remote exploit for windows platform
    idEDB-ID:16414
    last seen2016-02-01
    modified2010-11-03
    published2010-11-03
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16414/
    titleCA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow

Metasploit

Nessus

NASL familyWindows
NASL idCA_LICENSE_SERVICE_STACK_OVERFLOW.NASL
descriptionThe remote host is running the Computer Associate License Application. The remote version of this software is vulnerable to several flaws that could allow a remote attacker to execute arbitrary code on the remote host with SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id17307
published2005-03-10
reporterThis script is Copyright (C) 2005-2018 KK Liu
sourcehttps://www.tenable.com/plugins/nessus/17307
titleCA License Service Multiple Vulnerabilities
code
#
# (C) KK Liu
#

# Changes by Tenable:
#  - Fixed the request
#  - Shorter description
#  - Fixed the version number check 
#  - Added a check on port 10202, 10203
#  - Changed plugin family (8/14/2009)


include("compat.inc");

if(description)
{
 script_id(17307);
 script_version ("1.34");
 script_cve_id("CVE-2005-0581", "CVE-2005-0582", "CVE-2005-0583");
 script_bugtraq_id(12705);

 script_name(english:"CA License Service Multiple Vulnerabilities");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host is running the Computer Associate License Application. 

The remote version of this software is vulnerable to several flaws
that could allow a remote attacker to execute arbitrary code on the
remote host with SYSTEM privileges." );
 script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/" );
 script_set_attribute(attribute:"solution", value:"http://www.nessus.org/u?c1c908e9" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Computer Associates License Server GETCONFIG Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/02");
 script_cvs_date("Date: 2018/11/15 20:50:26");
 script_set_attribute(attribute:"patch_publication_date", value: "2005/03/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"CA License Service Stack Overflow");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005-2018 KK Liu");
 script_family(english: "Windows");
 script_require_ports(10202, 10203, 10204);
 exit(0);
}

include("global_settings.inc");
include('misc_func.inc');

req = 'A0 GETCONFIG SELF 0 <EOM>\r\n';
ports = make_list(10202, 10203, 10204);
foreach port ( ports )
{
 if ( get_port_state(port) ) 
  {
	soc = open_sock_tcp(port);
	if ( soc ) 
	{
	send(socket:soc, data:req);
	r = recv(socket:soc, length:620);
	close(soc);
	if ( strlen(r) > 0 )
	{
     	chkstr = strstr(r, "VERSION<");
	if (chkstr ) 
 	{
	 register_service(port:port, proto:"CA_License_Service");
         if (egrep (pattern:"VERSION<[0-9] 1\.(5[3-9].*|60.*|61(\.[0-8])?)>", string:chkstr)) 
	 {
          security_hole(port);
	 }
	}
       } 
    }
  }
}

Packetstorm

Saint

  • bid12705
    descriptionComputer Associates License Service invalid command buffer overflow
    idmisc_calicense
    osvdb14389
    titleca_license_invalid_command
    typeremote
  • bid12705
    descriptionComputer Associates License Service GCR buffer overflow
    idmisc_calicense
    osvdb14389
    titleca_license_gcr
    typeremote
  • bid12705
    descriptionComputer Associates License Service GETCONFIG buffer overflow
    idmisc_calicense
    osvdb14389
    titleca_license_getconfig
    typeremote

References