Vulnerabilities > CVE-2006-6076

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
broadcom
ca
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to execute arbitrary code via certain RPC requests to TCP port 6502. A denial-of-service condition may also result from exploit attempts.

Exploit-Db

descriptionCA BrightStor ARCserve Tape Engine Buffer Overflow. CVE-2006-6076. Remote exploit for windows platform
idEDB-ID:16407
last seen2016-02-01
modified2010-05-09
published2010-05-09
reportermetasploit
sourcehttps://www.exploit-db.com/download/16407/
titleCA BrightStor ARCserve Tape Engine Buffer Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code.
idMSF:EXPLOIT/WINDOWS/BRIGHTSTOR/TAPE_ENGINE
last seen2020-02-29
modified2017-11-08
published2007-01-18
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6076
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/tape_engine.rb
titleCA BrightStor ARCserve Tape Engine Buffer Overflow

Nessus

  • NASL familyWindows
    NASL idARCSERVE_QO86255.NASL
    descriptionAccording to its version, the installation of BrightStor ARCserve Backup on the remote host is affected by multiple buffer overflows involving the application
    last seen2020-06-01
    modified2020-06-02
    plugin id24816
    published2007-03-16
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24816
    titleCA BrightStor ARCserve Backup Tape Engine and Portmapper Multiple Vulnerabilities (QO86255)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24816);
      script_version("1.20");
      script_cvs_date("Date: 2018/11/15 20:50:26");
    
      script_cve_id("CVE-2006-6076", "CVE-2007-0816", "CVE-2007-1447", "CVE-2007-1448");
      script_bugtraq_id(21221, 22365, 22994);
    
      script_name(english:"CA BrightStor ARCserve Backup Tape Engine and Portmapper Multiple Vulnerabilities (QO86255)");
      script_summary(english:"Checks version of BrightStor ARCserve Backup");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote software is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the installation of BrightStor ARCserve
    Backup on the remote host is affected by multiple buffer overflows
    involving the application's Tape Engine and portmapper services.  An
    unauthenticated, remote attacker may be able to leverage these issues
    to crash or disable the services or to execute arbitrary code on the
    affected host with SYSTEM privileges.");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?deaadc11");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Mar/265");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?deaadc11");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch as described in the vendor advisory
    referenced above.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor ARCserve Tape Engine Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("arcserve_discovery_service_detect.nasl");
      script_require_keys("ARCSERVE/Discovery/Version");
    
      exit(0);
    }
    
    
    ver = get_kb_item("ARCSERVE/Discovery/Version");
    if (isnull(ver)) exit(0);
    
    
    port = get_kb_item("Services/udp/casdscsvc");
    if (!port) exit(0);
    
    
    matches = eregmatch(string:ver, pattern:"^[a-z]([0-9]+\.[0-9]+) \(build ([0-9]+)\)$");
    if (!isnull(matches))
    {
      ver = matches[1];
      build = int(matches[2]);
    
      if (
        (ver == "11.5" && build < 4237) ||
        (ver == "11.1" && build < 3208) ||
        # nb: QI82917 says there's no patch for 11.0; the solution is to 
        #     upgrade to 11.1 and then apply QO86258.
        (ver == "11.0") ||
        # nb: QO86259 doesn't exist.
        (ver == "10.5") ||
        (ver == "9.0" && build < 2205)
      ) security_hole(port:port, proto:"udp");
    }
    
  • NASL familyWindows
    NASL idARCSERVE_TAPEENGINE_MULTIPLE.NASL
    descriptionThis host is running BrightStor ARCServe for Windows. The remote version of this software has multiple buffer overflow vulnerabilities in the Tape Engine MSRPC service. An attacker, by sending a specially crafted packet, may be able to crash the affected service or execute code on the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id24013
    published2007-01-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24013
    titleCA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # BAB r11.5 - QO84983
    # BAB r11.1 - QO84984
    # BAB r11.0 - QI82917
    # BEB r10.5 - QO84986
    # BAB v9.01 - QO84985
    
    
    include("compat.inc");
    
    if (description)
    {
     script_id(24013);
     script_version("1.21");
     script_cvs_date("Date: 2018/11/15 20:50:26");
    
     script_cve_id("CVE-2006-6076", "CVE-2007-0168", "CVE-2007-0169");
     script_bugtraq_id(21221, 22006, 22010);
    
     script_name(english:"CA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983)");
     script_summary(english:"Check buffer overflow in BrightStor ARCServe for Windows");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "This host is running BrightStor ARCServe for Windows.
    
    The remote version of this software has multiple buffer overflow
    vulnerabilities in the Tape Engine MSRPC service. 
    
    An attacker, by sending a specially crafted packet, may be able to
    crash the affected service or execute code on the remote host.");
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?543ab108");
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452222/30/0/threaded");
     script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-002/");
     script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-004/");
     # https://web.archive.org/web/20070117230030/http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fda01ee");
     script_set_attribute(attribute:"solution", value:"Apply security patch QO84983.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor ARCserve Message Engine Buffer Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12");
     script_set_attribute(attribute:"patch_publication_date", value:"2007/01/11");
     script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/07");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"Windows");
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
     script_require_ports(6502);
     exit(0);
    }
    
    
    include ('smb_func.inc');
    
    function RPC_Bind ()
    {
     local_var ret, resp, soc;
    
     soc = session_get_socket ();
    
     ret = dce_rpc_bind(cid:session_get_cid(), uuid:"62b93df0-8b02-11ce-876c-00805f842837", vers:1);
     send (socket:soc, data:ret);
     resp = recv (socket:soc, length:4096);
    
     if (!resp)
       return -1;
    
     ret = dce_rpc_parse_bind_ack (data:resp);
     if (isnull (ret) || (ret != 0))
       return -1;
    
     return 0;
    }
    
    
    function RPCNewFSDevice ()
    {
     local_var data, ret, resp, val, soc;
    
     soc = session_get_socket ();
    
     session_set_unicode (unicode:0);
    
     data = 
    	raw_dword (d:1) +
    	class_name (name:crap(data:"A", length:0x10)) ;
    
     session_set_unicode (unicode:1);
    
     ret = dce_rpc_request (code:0xCF, data:data);
     send (socket:soc, data:ret);
     resp = recv (socket:soc, length:4096);
    
     resp = dce_rpc_parse_response (data:resp);
     if (strlen(resp) != 4)
       return 0;
    
     # patch -> if (strlen(s) > 8) return 0x1d
     val = get_dword (blob:resp, pos:0);
     if (val != 0x1d)
       return 1;
    
     return 0;
    }
    
    
    
    port = 6502;
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    session_init (socket:soc);
    
    ret = RPC_Bind ();
    if (ret != 0)
      exit (0);
    
    ret = RPCNewFSDevice ();
    if (ret != 0)
      security_hole(port);
    
    close (soc);
    
  • NASL familyWindows
    NASL idARCSERVE_QO84983.NASL
    descriptionAccording to its version, the installation of BrightStor ARCserve Backup on the remote host is affected by multiple buffer overflows that can be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id24015
    published2007-01-15
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24015
    titleCA BrightStor ARCserve Backup Multiple Vulnerabilities (QO84983)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24015);
      script_version("1.24");
      script_cvs_date("Date: 2018/11/15 20:50:26");
    
      script_cve_id("CVE-2006-5171","CVE-2006-5172","CVE-2006-6076","CVE-2006-6917","CVE-2007-0168","CVE-2007-0169");
      script_bugtraq_id(21221, 22005, 22006, 22010, 22015, 22016);
    
      script_name(english:"CA BrightStor ARCserve Backup Multiple Vulnerabilities (QO84983)");
      script_summary(english:"Checks version of BrightStor ARCserve Backup");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote software is affected by multiple vulnerabilities." );
      script_set_attribute(attribute:"description", value:
    "According to its version, the installation of BrightStor ARCserve
    Backup on the remote host is affected by multiple buffer overflows
    that can be exploited by an unauthenticated, remote attacker to execute
    arbitrary code on the affected host with SYSTEM privileges." );
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e175e643" );
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?543ab108" );
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/456711/30/0/threaded" );
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25216527" );
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch as described in the vendor advisory." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor ARCserve Message Engine Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/15");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/21");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("arcserve_discovery_service_detect.nasl");
      script_require_keys("ARCSERVE/Discovery/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    ver = get_kb_item("ARCSERVE/Discovery/Version");
    if (isnull(ver)) exit(0);
    
    
    matches = eregmatch(string:ver, pattern:"^[a-z]([0-9]+\.[0-9]+) \(build ([0-9]+)\)$");
    if (!isnull(matches))
    {
      ver = matches[1];
      build = int(matches[2]);
    
      if (
        (ver == "11.5" && build < 4235) ||
        (ver == "11.1" && build < 3207) ||
        # nb: QI82917 says there's no patch for 11.0; the solution is to 
        #     upgrade to 11.1 and then apply QO84984.
        (ver == "11.0") ||
        # nb: QO84986 doesn't exist.
        (ver == "10.5") ||
        (ver == "9.0" && build < 2204)
      )
      {
        # Issue a report for each open TCP port.
        tcp_ports = make_list(
          111,                             # Mediasvr service
          6502,                            # Tape Engine
          6503,                            # Message Engine
          6504                             # Message Engine
        );
        foreach port (tcp_ports)
        {
          # Make sure the port is open.
          if (get_port_state(port) && service_is_unknown(port:port))
          {
            soc = open_sock_tcp(port);
            if (soc)
            {
              close(soc);
              security_hole(port);
            }
          }
        }
        udp_ports = make_list(
          111                              # Mediasvr service
        );
        foreach port (udp_ports)
        {
          security_hole(port:port, proto:"udp");
        }
      }
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83214/tape_engine.rb.txt
idPACKETSTORM:83214
last seen2016-12-05
published2009-11-26
reporterpatrick
sourcehttps://packetstormsecurity.com/files/83214/CA-BrightStor-ARCserve-Tape-Engine-Buffer-Overflow.html
titleCA BrightStor ARCserve Tape Engine Buffer Overflow

Saint

  • bid21221
    descriptionBrightStor ARCserve Backup Tape Engine GetGroupStatus buffer overflow
    idmisc_arcservetape
    osvdb30637
    titlebrightstor_arcserve_tape_getgroupstatus
    typeremote
  • bid21221
    descriptionBrightStor ARCserve Backup Tape Engine ReserveGroup buffer overflow
    idmisc_arcservetape
    osvdb30637
    titlebrightstor_arcserve_tape_reservegroup
    typeremote