Vulnerabilities > CVE-2008-2541 - Buffer Errors vulnerability in CA Etrust Secure Content Manager 8.0

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

CWE-119

critical

nessus

NVD

Published: 2008-06-04

Updated: 2018-10-11

Summary

Multiple stack-based buffer overflows in the HTTP Gateway Service (icihttp.exe) in CA eTrust Secure Content Manager 8.0 allow remote attackers to execute arbitrary code or cause a denial of service via long FTP responses, related to (1) the file month field in a LIST command; (2) the PASV command; and (3) directories, files, and links in a LIST command.

Vulnerable Configurations

Part	Description	Count
Application	Ca CA Etrust Secure Content Manager 8.0	1

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Windows
NASL id	CA_SCM_ICIHTTP_FTP_VULNS.NASL
description	The remote host is running Computer Associates
last seen	2020-06-01
modified	2020-06-02
plugin id	33108
published	2008-06-09
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33108
title	CA Secure Content Manager HTTP Gateway Service FTP Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33108); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2008-2541"); script_bugtraq_id(29528); script_xref(name:"Secunia", value:"30518"); script_name(english:"CA Secure Content Manager HTTP Gateway Service FTP Vulnerabilities"); script_summary(english:"Checks registry for SCM's PatchID key"); script_set_attribute(attribute:"synopsis", value: "A remote Windows host contains a program that is affected by multiple buffer overflow vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running Computer Associates' Secure Content Manager, a gateway product for filtering messaging and web traffic. The HTTP Gateway component ('icihttp.exe') of the version of Secure Content Manager installed on the remote host does not sufficiently check responses to FTP 'LIST' and 'PASV' commands before copying them into a stack buffer. An unauthenticated, remote attacker can leverage these issues to crash the affected service or to execute arbitrary code on the affected host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-035/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-036/" ); script_set_attribute(attribute:"see_also", value:"http://dvlabs.tippingpoint.com/advisory/TPTI-08-05" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/39" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/40" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/46" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?28aa23fd" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/493124/30/0/threaded" ); script_set_attribute(attribute:"solution", value:"Apply the QO99987 patch referenced in the CA advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("audit.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Connect to the appropriate share. name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Determine if SCM r8 is installed and identify which patches have been applied. base_key = "SOFTWARE\ComputerAssociates\eTrust\SCM\8.0"; path = NULL; patches = NULL; key = base_key + "\Directories"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"InstallRoot"); if (!isnull(value)) { path = value[1]; path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path); } RegCloseKey(handle:key_h); } if (!isnull(path)) { key = base_key + "\Hidden"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"PatchID"); if (!isnull(value)) patches = value[1]; RegCloseKey(handle:key_h); } } RegCloseKey(handle:hklm); if (isnull(path)) { NetUseDel(); exit(0); } # There's a problem if there are no patches or "80VULNHOTFIX" is not one of them. if (strlen(patches) == 0 \|\| "\|80VULNHOTFIX\|" >!< patches) { if (report_verbosity) { if ("\|" >< patches) { if (patches[0] == "\|") patches = substr(patches, 1); if (patches[strlen(patches)-1] == "\|") patches = substr(patches, 0, strlen(patches)-2); patches = str_replace(find:"\|", replace:", ", string:patches); } else if (strlen(patches) == 0) patches = "none"; report = string( "\n", "Nessus collected the following information about the installation of CA\n", "Secure Content Manager r8 on the remote host :\n", "\n", " Path : ", path, "\n", " Patch(es) : ", patches, "\n" ); security_hole(port:port, extra:report); } else security_hole(port); }

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 29528 CVE(CAN) ID: CVE-2008-2541 eTrust Secure Content Manager（eTrust SCM）是独立、统一的网关解决方案，能够帮助企业从中央管理控制台防范资料窃密以及网络和信息传递威胁。 eTrust SCM运行在8080端口上的HTTP网关服务（icihttp.exe）中存在多个栈溢出漏洞。如果用户发布了FTP服务请求，进程会试图修饰事件处理的内容，在这种情况下如果指定了超长的LIST或PASV命令响应，就会触发栈溢出，导致以SYSTEM权限执行任意指令。 Computer Associates eTrust Secure Content Manager r8 Computer Associates ------------------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=https://support.ca.com/irj/portal/anonymous/SolutionResults?aparNo=QO99987&os=NT&actionID=3 target=_blank>https://support.ca.com/irj/portal/anonymous/SolutionResults?aparNo=QO99987&os=NT&actionID=3</a>
id	SSV:3388
last seen	2017-11-19
modified	2008-06-06
published	2008-06-06
reporter	Root
title	CA eTrust Secure Content Manager多个栈溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Seebug

References