cbcvebase.
CVE-2007-4006
published 2007-07-26

CVE-2007-4006: Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unknown impact and remote attack vectors, aka ZD-00000034. NOTE: this information is based…

PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
34.48%
98.2th percentile
Buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 has unknown impact and remote attack vectors, aka ZD-00000034. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.

Affected

1 ranges
VendorProductVersion rangeFixed in
mike_dubmanwindows_rsh_daemon

Detection & IOCsextracted from sources · hover to see the quote

port514
port9999
other0x77409dbb
other0x7e497c7b
other0x77f81be3
  • The exploit targets RSH daemon on TCP port 514. Detect oversized RSH requests (>1024 bytes) to port 514 from source ports in the range 512–1023, which is required for the exploit to succeed.
  • The exploit payload begins with a distinctive null-byte pattern: two repetitions of (\x00 + 1 random byte) followed by \x00, then 1024 bytes of alphanumeric-upper encoded data. Look for RSH traffic to port 514 containing leading null bytes followed by large alphanumeric blocks.
  • The Metasploit module uses AlphanumUpper encoder with a stack-adjustment prepend stub \x81\xc4\xff\xef\xff\xff\x44. Presence of this byte sequence in RSH traffic is a strong indicator of exploitation.
  • The standalone exploit (exploit-db 4222) drops a bind shell on TCP port 9999. Monitor for unexpected listening services on port 9999 on Windows hosts running rshd.
  • The vulnerable software is rshd from http://rshd.sourceforge.net. Detect presence of this process on Windows hosts as an attack surface indicator.
  • ·The exploit requires the client source port (CPORT) to be in the range 512–1023 for the RSH protocol handshake; network controls blocking non-privileged source ports to TCP/514 will not mitigate this attack.
  • ·The NVD advisory explicitly flags this CVE as based on a vague advisory from a vulnerability sales organization (WabiSabiLabi) that does not coordinate with vendors; duplicate CVEs may exist.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.