CVE-2007-1685
published 2007-06-08CVE-2007-1685: Buffer overflow in k9filter.exe in BlueCoat K9 Web Protection 3.2.36, and probably other versions before 3.2.44, allows remote attackers to cause a denial of…
PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.52%
96.0th percentile
Buffer overflow in k9filter.exe in BlueCoat K9 Web Protection 3.2.36, and probably other versions before 3.2.44, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 2372.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bluecoat | k9_web_protection | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for abnormally long HTTP GET requests directed at port 2372, which is used by k9filter.exe (BlueCoat K9 Web Protection). Oversized requests to this port are the attack vector for the buffer overflow. ↗
- →The exploit targets the SEH (Structured Exception Handler) chain. Detection of SEH-overwrite patterns (e.g., repeated 0x41/0x42 byte sequences followed by a crafted return address) in traffic to port 2372 is indicative of exploitation attempts. ↗
- →Alert on unexpected crashes or restarts of the k9filter.exe process, which may indicate a successful or attempted denial-of-service exploitation of this buffer overflow. ↗
- →The PoC targets the path /home.html on port 2372. Network signatures should flag HTTP GET requests to /home.html on port 2372 with payloads exceeding normal length (168+ bytes of padding observed in PoC). ↗
- ·The vulnerability affects BlueCoat K9 Web Protection 3.2.36 and likely all versions prior to 3.2.44. Detections should account for this version range; patched versions (3.2.44+) are not reported vulnerable. ↗
- ·Successful exploitation runs with administrative privileges, meaning post-exploitation activity would appear to originate from a high-privilege context — tune endpoint monitoring accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0190.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063848.htmlhttp://osvdb.org/37186http://secunia.com/advisories/25593http://www.csis.dk/dk/forside/Bluecoat-k9.pdfhttp://www.kb.cert.org/vuls/id/271601http://www.securityfocus.com/archive/1/470836/100/0/threadedhttp://www.securityfocus.com/bid/24373http://www.securitytracker.com/id?1018210http://www.vupen.com/english/advisories/2007/2104https://exchange.xforce.ibmcloud.com/vulnerabilities/34773http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0190.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063848.htmlhttp://osvdb.org/37186http://secunia.com/advisories/25593http://www.csis.dk/dk/forside/Bluecoat-k9.pdfhttp://www.kb.cert.org/vuls/id/271601http://www.securityfocus.com/archive/1/470836/100/0/threadedhttp://www.securityfocus.com/bid/24373http://www.securitytracker.com/id?1018210http://www.vupen.com/english/advisories/2007/2104https://exchange.xforce.ibmcloud.com/vulnerabilities/34773
2007-06-08
Published