CVE-2013-0946

EMC AlphaStor Library Manager 0x4f Command Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.

Desbordamiento de búfer en el Library Control Program (LCP) en EMC AlphaStor v4.0 anterior al build 910 permite a atacantes remotos ejecutar código arbitrario mediante comandos especialmente diseñados.

This vulnerability potentially allows remote attackers to execute arbitrary code on vulnerable installations of EMC AlphaStor for EMC Networker. Authentication is not required to exploit this vulnerability.
The specific flaw exists within Library Manager (robotd.exe) which listens by default on port 3500. When parsing the 0x4f command, the process copies an arbitrary user supplied string into fixed sized buffers. An attacker could leverage this vulnerability into remote execution of arbitrary code as SYSTEM.
Vendor patched May 2013, but did not notify the ZDI. As a result this advisory is posted late.

A buffer overflow vulnerability exists in EMC AlphaStor that could potentially be exploited by a malicious user to create a denial of service condition or execute arbitrary code.

*Credits: Aniway.Anyway@gmail.com

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-01-09 CVE Reserved
2013-05-09 CVE Published
2017-09-14 First Exploit
2024-08-06 CVE Updated
2025-06-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (4)

URL	Tag	Source
http://archives.neohapsis.com/archives/bugtraq/2013-05/0035.html	Mailing List
http://www.securityfocus.com/bid/59794	Vdb Entry

URL	Date	SRC
https://packetstorm.news/files/id/144156	2017-09-14
https://www.exploit-db.com/exploits/42719	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Emc Search vendor "Emc"		Alphastor Search vendor "Emc" for product "Alphastor"				4.0 Search vendor "Emc" for product "Alphastor" and version "4.0"		-		Affected