cbcvebase.
CVE-2001-1320
published 2001-07-16

CVE-2001-1320: Network Associates PGP Keyserver 7.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via exceptional BER…

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.32%
99.2th percentile
Network Associates PGP Keyserver 7.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via exceptional BER encodings (possibly buffer overflows), as demonstrated by the PROTOS LDAPv3 test suite.

Affected

1 ranges
VendorProductVersion rangeFixed in
pgpkeyserver

Detection & IOCsextracted from sources · hover to see the quote

port389
processPGPcertd.exe
other0x00436b23
urlhttp://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
bytes
\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9
bytes
\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00
  • Detect exploitation attempts by monitoring TCP port 389 (LDAP) for malformed BER-encoded packets beginning with the PROTOS trigger byte sequence \x30\xfe\x02\x01\x01\x63\x20 — the oversized length byte (\xfe) is anomalous for legitimate LDAP traffic.
  • Alert on the presence of PGPcertd.exe spawning unexpected child processes or network connections, as successful exploitation targets this process via a stack return-address overwrite at 0x00436b23 (push esp; ret gadget).
  • Flag LDAP bind/search requests containing exceptional or indefinite-length BER encodings (e.g., length octets inconsistent with actual payload size) targeting port 389, as this is the root trigger class described in the PROTOS LDAPv3 test suite.
  • ·The WfsDelay may need to be increased in the Metasploit module to allow the egghunter sufficient time to locate the egg in memory before the payload executes; this means the exploit may appear slow or stalled in network captures.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.