cbcvebase.
CVE-2002-2268
published 2002-12-31

CVE-2002-2268: Buffer overflow in Webster HTTP Server allows remote attackers to execute arbitrary code via a long URL.

PriorityP348critical9.4CVSS 2.0
AVNACLAuNCCICAN
EXPLOIT
EPSS
52.68%
98.8th percentile
Buffer overflow in Webster HTTP Server allows remote attackers to execute arbitrary code via a long URL.

Detection & IOCsextracted from sources · hover to see the quote

versionkolibri-2.0
commandHEAD /<515 bytes alphanumeric> + RET HTTP/1.1
commandGET /<266 bytes alphanumeric> + SEH payload HTTP/1.0
otherRET 0x7E429353 (JMP ESP, Windows XP SP3)
otherRET 0x76F73BC3 (Windows Server 2003 SP2)
otherRET 0x71aa32ad (pop esi; pop ebx; ret ws2help.dll, Windows XP SP0)
  • Detect Kolibri HTTP Server 2.0 exploitation by monitoring for HTTP HEAD requests with oversized URIs (~515+ bytes of alphanumeric data) followed by a 4-byte little-endian return address.
  • Detect Webster HTTP Server exploitation by monitoring for HTTP GET requests with URIs containing ~266+ bytes of alphanumeric data (SEH overwrite pattern).
  • For Kolibri exploitation, the egghunter payload is delivered in the Content-Type HTTP header; alert on abnormally large or binary-containing Content-Type header values in HEAD requests.
  • Fingerprint vulnerable Kolibri server via HTTP Server banner matching 'kolibri-2.0'; presence of this banner indicates an unpatched, exploitable instance.
  • Bad characters for Kolibri exploit payload are null byte, CR, LF, '=', space, '?'; payloads avoiding these bytes in a HEAD request URI are characteristic of this exploit.
  • Bad characters for Webster exploit payload include null, ':', '&', '?', '%', '#', space, LF, CR, '/', '+', VT, backslash; URL-encoded or raw GET requests avoiding these bytes but exceeding 266 chars are suspicious.
  • ·The Kolibri exploit uses an egghunter technique to stage a larger payload; the actual shellcode is placed in the Content-Type header while the egghunter stub is in the URI overflow, meaning detection must cover both the URI and headers.
  • ·The Webster exploit uses an SEH (Structured Exception Handler) overwrite technique, not a direct RET overwrite; detection/analysis tools must account for SEH chain corruption at offset ~266 bytes.
  • ·The Kolibri exploit payload space is limited to 3000 bytes with NOPs disabled; the Webster exploit payload space is limited to 1024 bytes with NOPs disabled.
  • ·The CVE is referenced by two distinct exploits targeting different HTTP servers (Webster and Kolibri); detection rules should cover both attack vectors independently.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.