CVE-2007-6016 : Multiple stack-based buffer overflows in the PVATLCalendar.PVCalendar.1 ActiveX control in pvcalendar.ocx in the schedul

Multiple stack-based buffer overflows in the PVATLCalendar.PVCalendar.1 ActiveX control in pvcalendar.ocx in the scheduler component in the Media Server in Symantec Backup Exec for Windows Server (BEWS) 11d 11.0.6235 and 11.0.7170, and 12.0 12.0.1364, allow remote attackers to execute arbitrary code via a long (1) _DOWText0, (2) _DOWText1, (3) _DOWText2, (4) _DOWText3, (5) _DOWText4, (6) _DOWText5, (7) _DOWText6, (8) _MonthText0, (9) _MonthText1, (10) _MonthText2, (11) _MonthText3, (12) _MonthText4, (13) _MonthText5, (14) _MonthText6, (15) _MonthText7, (16) _MonthText8, (17) _MonthText9, (18) _MonthText10, or (19) _MonthText11 property value when executing the Save method. NOTE: the vendor states "Authenticated user involvement required," but authentication is not needed to attack a client machine that loads this control.

Published 2008-02-29 19:44:00

Updated 2017-09-29 01:29:47

Source Flexera Software LLC

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Exploit prediction scoring system (EPSS) score for CVE-2007-6016

Probability of exploitation activity in the next 30 days: 95.79%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2007-6016

Symantec BackupExec Calendar Control Buffer Overflow

Disclosure Date: 2008-02-28

First seen: 2020-04-26

exploit/windows/browser/symantec_backupexec_pvcalendar

This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control. By sending an overly long string to the "_DOWText0" property located in the pvcalendar.ocx control, an attacker may be able to execute arbitrary code. Authors: - Elazar B

More information

CVSS scores for CVE-2007-6016

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2007-6016

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2007-6016

http://seer.support.veritas.com/docs/308669.htm

CVEs referencing this url
https://www.exploit-db.com/exploits/5205
http://www.vupen.com/english/advisories/2008/2672

Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/26904

Symantec Backup Exec Scheduler ActiveX Control Multiple Stack Based Buffer Overflow Vulnerabilities
Patch
http://securitytracker.com/id?1019524
http://www.symantec.com/avcenter/security/Content/2008.02.29.html

Patch

CVEs referencing this url
http://www.symantec.com/avcenter/security/Content/2008.02.28.html

CVEs referencing this url
http://www.vupen.com/english/advisories/2008/0718

Vendor Advisory

CVEs referencing this url

Products affected by CVE-2007-6016

Symantec » Backup Exec For Windows Server » Version: 11D Update 11.0.7170
cpe:2.3:a:symantec:backup_exec_for_windows_server:11d:11.0.7170:*:*:*:*:*:*
Matching versions
Symantec » Backup Exec For Windows Server » Version: 12.0 Update 12.0.1364
cpe:2.3:a:symantec:backup_exec_for_windows_server:12.0:12.0.1364:*:*:*:*:*:*
Matching versions
Symantec » Backup Exec For Windows Server » Version: 11D Update 11.0.6235
cpe:2.3:a:symantec:backup_exec_for_windows_server:11d:11.0.6235:*:*:*:*:*:*
Matching versions