Vulnerabilities > CVE-2005-1272

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
broadcom
ca
nessus
exploit available
metasploit
NVD
Published: 2005-08-05
Updated: 2021-04-07

Summary

Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.

Vulnerable Configurations

Part Description Count
Application
Broadcom
2
Application
Ca
21

Exploit-Db

  • descriptionCA BrightStor Agent for Microsoft SQL Overflow. CVE-2005-1272. Remote exploit for windows platform
    idEDB-ID:16403
    last seen2016-02-01
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16403/
    titleCA BrightStor Agent for Microsoft SQL Overflow
  • descriptionCA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit. CVE-2005-1272. Remote exploit for windows platform
    idEDB-ID:1130
    last seen2016-01-31
    modified2005-08-03
    published2005-08-03
    reportercybertronic
    sourcehttps://www.exploit-db.com/download/1130/
    titleCA BrightStor ARCserve Backup Agent dbasqlr.exe Remote Exploit

Metasploit

descriptionThis module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net.
idMSF:EXPLOIT/WINDOWS/BRIGHTSTOR/SQL_AGENT
last seen2020-06-07
modified1976-01-01
published1976-01-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/sql_agent.rb
titleCA BrightStor Agent for Microsoft SQL Overflow

Nessus

NASL familyWindows
NASL idARCSERVE_MSSQL_AGENT_OVERFLOW.NASL
descriptionThis host is running BrightStor ARCServe MSSQL Agent. The remote version of this software is susceptible to a buffer overflow attack. An attacker, by sending a specially crafted packet, may be able to execute code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id19387
published2005-08-05
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19387
titleCA BrightStor ARCserve Backup Agent for Windows Long String Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(19387);
 script_version ("1.20");

 script_cve_id("CVE-2005-1272");
 script_bugtraq_id(14453);
 script_xref(name:"CERT", value:"279774");

 script_name(english:"CA BrightStor ARCserve Backup Agent for Windows Long String Overflow");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host." );
 script_set_attribute(attribute:"description", value:
"This host is running BrightStor ARCServe MSSQL Agent.

The remote version of this software is susceptible to a buffer
overflow attack. 

An attacker, by sending a specially crafted packet, may be able to
execute code on the remote host." );
 script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/279774/" );
 script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to a newer version when available.

Note that for ARCServe 11.1, patch QO70767 (not working) has been
replaced by patch QO71010." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor Agent for Microsoft SQL Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/02");
 script_cvs_date("Date: 2018/11/15 20:50:26");
 script_set_attribute(attribute:"patch_publication_date", value: "2005/09/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Check buffer overflow in BrightStor ARCServe MSSQL Agent");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Windows");
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_dependencies("arcserve_mssql_agent_detect.nasl");
 script_require_keys("ARCSERVE/MSSQLAgent");
 script_require_ports (6070);
 exit(0);
}

if (!get_kb_item ("ARCSERVE/MSSQLAgent")) exit (0);

port = 6070;
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp (port);
if (!soc) exit(0);

req = "[LUHISL" + crap(data:"A", length:18) + crap (data:"B", length:669) + raw_string (0x01, 0x06) + crap (data:"C", length:0x106) + crap (data:"D", length:0x106);

send (socket:soc, data:req);
buf = recv(socket:soc, length:1000);

if (strlen(buf) > 8)
{
 val = raw_string (0x00,0x00,0x04,0x1b,0x00,0x00,0x00,0x00);

 header = substr(buf,0,7);
 if (val >< header)
   security_hole(port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83109/sql_agent.rb.txt
idPACKETSTORM:83109
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83109/CA-BrightStor-Agent-for-Microsoft-SQL-Overflow.html
titleCA BrightStor Agent for Microsoft SQL Overflow

Saint

bid14453
descriptionBrightStor ARCserve Backup agent for MS-SQL buffer overflow
idmisc_arcservesql
osvdb18501
titlebrightstor_arcserve_mssql_agent
typeremote

References