CVE-2006-5143

CA Multiple Product Message Engine RPC Server Code Execution Vulnerability

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.

Múltiples desbordamientos de búfer basado en montón en CA BrightStor ARCserve Backup r11.5 SP1 y anteriores, r11.1, y 9.01; BrightStor ARCServe Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; y Buisiness Protection Suite r2 permiten a un atacante remoto ejecutar código de su elección mediante datos manipulados en el puerto TCP 6071 para el Backup Agent RPC Server (DBASVR.exe) utilizando rutinas RPC con códigos de operación (opcode) (1) 0x01, (2) 0x02, y (3) 0x18; datos de cabo (stub) inválidos en el puerto TCP 6503 para las rutinas RPC con códigos de operación (4)0x2b o (5) 0x2d en ASCORE.dll en el Message Engine RPC Server (msgeng.exe); (6) un nombre de anfitrión (hostname ) largo en el puerto TCP 41523 para ASBRDCST.DLL en el Discovery Service (casdscsvc.exe); o vectores no especificados relacionados con el (7) Job Engine Service.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit this vulnerability.
The problem specifically exists within ASCORE.dll, a DLL used by the Message Engine RPC server. This service exposes a heap overflow vulnerability through RPC opcode 43 (0x2b) and a stack overflow vulnerability through RPC opcode 45 (0x2d) on TCP port 6503 endpoint with ID dc246bf0-7a7a-11ce-9f88-00805fe43838. The flaws are exposed when passing long strings as the second parameter to either opcode.

*Credits: livesploit.com

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2006-10-02 CVE Reserved
2006-10-05 CVE Published
2006-10-05 First Exploit
2024-08-07 CVE Updated
2024-08-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (31)

URL	Tag	Source
http://securitytracker.com/id?1017003	Vdb Entry
http://securitytracker.com/id?1017004	Vdb Entry
http://securitytracker.com/id?1017005	Vdb Entry
http://securitytracker.com/id?1017006	Vdb Entry
http://www.kb.cert.org/vuls/id/361792	Third Party Advisory
http://www.kb.cert.org/vuls/id/860048	Third Party Advisory
http://www.lssec.com/advisories/LS-20060220.pdf	X_refsource_misc
http://www.lssec.com/advisories/LS-20060313.pdf	X_refsource_misc
http://www.lssec.com/advisories/LS-20060330.pdf	X_refsource_misc
http://www.securityfocus.com/archive/1/447839/100/100/threaded	Mailing List
http://www.securityfocus.com/archive/1/447847/100/200/threaded	Mailing List
http://www.securityfocus.com/archive/1/447848/100/100/threaded	Mailing List
http://www.securityfocus.com/archive/1/447862/100/100/threaded	Mailing List
http://www.securityfocus.com/archive/1/447926/100/200/threaded	Mailing List
http://www.securityfocus.com/archive/1/447927/100/200/threaded	Mailing List
http://www.securityfocus.com/archive/1/447930/100/200/threaded	Mailing List
http://www.securityfocus.com/bid/20365	Vdb Entry
http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=93775&id=90744	X_refsource_confirm
http://www3.ca.com/securityadvisor/blogs/posting.aspx?pid=94397&id=90744	X_refsource_confirm
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34693	X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/29364	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/3495	2007-03-16
https://www.exploit-db.com/exploits/16401	2010-04-30
https://www.exploit-db.com/exploits/28765	2006-10-05
https://www.exploit-db.com/exploits/28766	2006-10-05

URL	Date	SRC
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp	2021-04-09
http://www.tippingpoint.com/security/advisories/TSRT-06-11.html	2021-04-09
http://www.zerodayinitiative.com/advisories/ZDI-06-030.html	2021-04-09

URL	Date	SRC
http://secunia.com/advisories/22285	2021-04-09
http://www.vupen.com/english/advisories/2006/3930	2021-04-09
http://www.zerodayinitiative.com/advisories/ZDI-06-031.html	2021-04-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Broadcom Search vendor "Broadcom"		Brightstor Arcserve Backup Search vendor "Broadcom" for product "Brightstor Arcserve Backup"				<= 11.5 Search vendor "Broadcom" for product "Brightstor Arcserve Backup" and version " <= 11.5"		sp1		Affected
Broadcom Search vendor "Broadcom"		Brightstor Arcserve Backup Search vendor "Broadcom" for product "Brightstor Arcserve Backup"				9.01 Search vendor "Broadcom" for product "Brightstor Arcserve Backup" and version "9.01"		-		Affected
Broadcom Search vendor "Broadcom"		Brightstor Arcserve Backup Search vendor "Broadcom" for product "Brightstor Arcserve Backup"				11.1 Search vendor "Broadcom" for product "Brightstor Arcserve Backup" and version "11.1"		-		Affected
Broadcom Search vendor "Broadcom"		Brightstor Enterprise Backup Search vendor "Broadcom" for product "Brightstor Enterprise Backup"				10.5 Search vendor "Broadcom" for product "Brightstor Enterprise Backup" and version "10.5"		-		Affected
Broadcom Search vendor "Broadcom"		Business Protection Suite Search vendor "Broadcom" for product "Business Protection Suite"				2.0 Search vendor "Broadcom" for product "Business Protection Suite" and version "2.0"		-		Affected
Broadcom Search vendor "Broadcom"		Server Protection Suite Search vendor "Broadcom" for product "Server Protection Suite"				2 Search vendor "Broadcom" for product "Server Protection Suite" and version "2"		-		Affected
Ca Search vendor "Ca"		Brightstor Arcserve Backup Search vendor "Ca" for product "Brightstor Arcserve Backup"				11 Search vendor "Ca" for product "Brightstor Arcserve Backup" and version "11"		windows		Affected