This Metasploit module exploits one of the multiple stack overflows in Computer Associates BrightStor HSM. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.
9a58580be50ae83d8abe4291da2f01e0926f2a74a9a75141d8cddacb4902b2b7Vulnerabilities allow a remote attacker to execute arbitrary code on vulnerable installations of Computer Associates' BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. A user-supplied DWORD size value is assumed by the vulnerable agent to contain the correct length of the subsequent data and is passed directly to memory allocation routines. At least 26 out of the available 68 opcodes are vulnerable to various overflows that allow for remote code execution due to insecure data copy operations.
3457978b8f8c68481ae65e55db2ff816e41e17c2211acf382c4370439807d789iDefense Security Advisory 09.27.07 - Remote exploitation of multiple buffer overflow vulnerabilities in Computer Associates International Inc.'s (CA) BrightStor HSM allows attackers to execute arbitrary code with SYSTEM privileges. These problems specifically exist within various command handlers in the CsAgent service. There are eleven command handlers that contain one or more stack based buffer overflow vulnerabilities each. All of these vulnerabilities are simple sprintf() calls that overflow fixed size stack buffers with attacker supplied data. Additionally, there are five command handlers that are vulnerable to integer overflow vulnerabilities. In addition to this, the function responsible for reading in and dispatching a request to the appropriate handler also contains an integer overflow vulnerability. iDefense has confirmed the existence of these vulnerabilities in Computer Associates BrightStor HSM version r11.5. Previous versions may also be affected.
3d9fe570146e0a06df94ce7623638630d7d96e1cc82bd6f5fff193c4ce9c5e51Multiple vulnerabilities exist in the CsAgent service that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. The first set of vulnerabilities, CVE-2007-5082, occur due to insufficient bounds checking in multiple CsAgent service commands. The second set of vulnerabilities, CVE-2007-5083, occur due to insufficient validation of integer values in multiple CsAgent service commands, which can lead to buffer overflow. The third set of vulnerabilities, CVE-2007-5084, occur due to insufficient validation of strings used in SQL statements in multiple CsAgent service commands.
363a6e7d492038cdb02283292599822fec694fd384becbbaf92e0cbd416cee51
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed