Vulnerabilities > CVE-2007-2139

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

broadcom

critical

nessus

exploit available

metasploit

NVD

Published: 2007-04-25

Updated: 2021-04-09

Summary

Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings, a different vulnerability than CVE-2006-5171, CVE-2006-5172, and CVE-2007-1785.

Vulnerable Configurations

Part	Description	Count
Application	Broadcom Broadcom Brightstor Arcserve Backup 9.01 Broadcom Brightstor Arcserve Backup 11.1 Broadcom Brightstor Arcserve Backup 11.5 Broadcom Business Protection Suite 2.0 Broadcom Server Protection Suite 2	5
Application	Ca CA Brightstor Arcserve Backup 11 CA Business Protection Suite 2.0	3

Exploit-Db

description	CA BrightStor ArcServe Media Service Stack Buffer Overflow. CVE-2007-2139. Remote exploit for windows platform
id	EDB-ID:16413
last seen	2016-02-01
modified	2010-06-22
published	2010-06-22
reporter	metasploit
source	https://www.exploit-db.com/download/16413/
title	CA BrightStor ArcServe Media Service Stack Buffer Overflow

Metasploit

description	This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker can overflow a stack buffer and execute arbitrary code.
id	MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/MEDIASRV_SUNRPC
last seen	2020-06-13
modified	2017-09-09
published	2007-05-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2139
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
title	CA BrightStor ArcServe Media Service Stack Buffer Overflow

Nessus

NASL family	Windows
NASL id	ARCSERVE_QO87569.NASL
description	According to its version, the installation of BrightStor ARCserve Backup on the remote host is affected by multiple vulnerabilities in the Mediasrv RPC service. First, the service does not properly sanitize a string given as an argument to different RPC functions prior to calling the function strncpy. By sending a specially crafted packet it is possible to overflow a stack buffer. The second vulnerability involves the handler given as an argument for most RPC functions. The service does the check that the handler is valid. By sending a specially crafted handler to those functions, it is possible to redirect the execution flow. An unauthenticated, remote attacker may be able to leverage these issues to crash or disable the service or to execute arbitrary code on the affected host with SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	25086
published	2007-04-25
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25086
title	CA BrightStor ARCserve Backup Multiple Vulnerabilities (QO87569)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25086); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2007-1785", "CVE-2007-2139"); script_bugtraq_id(23209, 23635); script_xref(name:"TRA", value:"TRA-2007-02"); script_name(english:"CA BrightStor ARCserve Backup Multiple Vulnerabilities (QO87569)"); script_summary(english:"Checks version of BrightStor ARCserve Backup"); script_set_attribute(attribute:"synopsis", value: "The remote software is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of BrightStor ARCserve Backup on the remote host is affected by multiple vulnerabilities in the Mediasrv RPC service. First, the service does not properly sanitize a string given as an argument to different RPC functions prior to calling the function strncpy. By sending a specially crafted packet it is possible to overflow a stack buffer. The second vulnerability involves the handler given as an argument for most RPC functions. The service does the check that the handler is valid. By sending a specially crafted handler to those functions, it is possible to redirect the execution flow. An unauthenticated, remote attacker may be able to leverage these issues to crash or disable the service or to execute arbitrary code on the affected host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-02"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6c1e90"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-022/"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch as described in the vendor advisory referenced above."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'CA BrightStor ArcServe Media Service Stack Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/25"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/24"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("arcserve_discovery_service_detect.nasl"); script_require_keys("ARCSERVE/Discovery/Version"); exit(0); } ver = get_kb_item("ARCSERVE/Discovery/Version"); if (isnull(ver)) exit(0); port = get_kb_item("Services/udp/casdscsvc"); if (!port) exit(0); matches = eregmatch(string:ver, pattern:"^[a-z]([0-9]+\.[0-9]+) $build ([0-9]+)$$"); if (!isnull(matches)) { ver = matches[1]; build = int(matches[2]); if ( (ver == "11.5" && build < 4403 && build > 4400) \|\| (ver == "11.5" && build < 4238) \|\| (ver == "11.1" && build < 3209) \|\| (ver == "11.0") \|\| (ver == "10.5" && build < 2688) \|\| (ver == "9.0" && build < 2206) ) security_hole(port:port, proto:"udp"); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/82968/mediasrv_sunrpc.rb.txt
id	PACKETSTORM:82968
last seen	2016-12-05
published	2009-11-26
reporter	toto
source	https://packetstormsecurity.com/files/82968/CA-BrightStor-ArcServe-Media-Service-Stack-Overflow.html
title	CA BrightStor ArcServe Media Service Stack Overflow

Saint

bid	23635
description	BrightStor ARCserve Media Server SUN RPC buffer overflow
id	misc_arcserve240
osvdb	34127
title	brightstor_arcserve_mediasvr_sunrpc
type	remote

Vulnerabilities > CVE-2007-2139 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2007-2139"}]}

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

Saint

References

Vulnerabilities > CVE-2007-2139