cbcvebase.
CVE-2010-4142
published 2010-11-02

CVE-2010-4142: Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.57%
99.1th percentile
Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests.

Affected

2 ranges
VendorProductVersion rangeFixed in
realflexrealwin
realflexrealwin

Detection & IOCsextracted from sources · hover to see the quote

port912
commandnc SERVER 912 < realwin_1a.dat
otherRET gadget 0x4002da21 (FlexMLang.DLL 8.1.45.19) — SCPC_INITIALIZE / SCPC_INITIALIZE_RF
otherRET gadget 0x4001f6d0 / Pivot 0x40017fc2 — SCPC_TXTEVENT
otherSEH overwrite address 0x4002e3ea — RealWin 1.06
bytes
6a541264 00000002 00001ff4
bytes
6a541264 00000020 00001ff4
bytes
6a541264 00000010 00001ff4
bytes
\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00
  • Detect exploit attempts by monitoring TCP port 912 for packets whose first 4 bytes are \x64\x12\x54\x6A (magic header common to all three exploit variants) followed by a large payload (>200 bytes).
  • SCPC_INITIALIZE packets are identified by the second DWORD value 0x00000002; SCPC_INITIALIZE_RF by 0x00000020; SCPC_TXTEVENT by 0x00000010 — all on TCP/912.
  • Payloads for all three packet types include a third DWORD of 0x00001ff4 (8180 decimal), indicating a large declared data length — flag any TCP/912 connection with this value in bytes 8-11.
  • The overflow is triggered via sprintf()/strcpy() with attacker-controlled data; monitor for connections to TCP/912 from external/untrusted hosts on RealWin SCADA servers.
  • Bad characters in Metasploit payloads are \x00\x20\x0a\x0d — absence of these bytes in a large TCP/912 payload is consistent with shellcode delivery.
  • ·The Metasploit 'Universal' target RET addresses (0x4002da21 in FlexMLang.DLL 8.1.45.19, 0x4001f6d0/0x40017fc2) are version-specific; exploitation against other builds may require different gadgets.
  • ·RealWin 1.06 is also confirmed affected by at least one of the overflow variants (SCPC_INITIALIZE_RF packet type based on the exploit header), not only 2.0 Build 6.1.8.10.
  • ·No vendor fix was available at time of disclosure; detection and network-level blocking of TCP/912 from untrusted sources is the primary mitigation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.