cbcvebase.
CVE-2010-4740
published 2011-02-16

CVE-2010-4740: Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC Client before 1.0.25 allows user-assisted remote attackers to execute arbitrary code via…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.62%
98.5th percentile
Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC Client before 1.0.25 allows user-assisted remote attackers to execute arbitrary code via a crafted .csv file, related to a status log message.

Affected

1 ranges
VendorProductVersion rangeFixed in
scadaenginebacnet_opc_client<= 1.0.24

Detection & IOCsextracted from sources · hover to see the quote

filenameWTclient.dll
otherret=0x7C96BF33 (jmp esp @ user32.dll, Windows XP SP3)
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36
  • Malicious CSV file triggers the overflow; look for CSV files with the header 'OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME' followed by an abnormally long field (185+ bytes of junk + 4-byte return address + shellcode) being opened by the BACnet OPC Client process.
  • The overflow occurs in WTclient.dll when parsing a status log message from a crafted .csv file; monitor for anomalous stack pivots or JMP ESP gadget hits at 0x7C96BF33 in user32.dll on Windows XP SP3 systems running BACnet OPC Client.
  • The exploit payload creates a local user account (USER=sploit, PASS=ware); monitor for unexpected local account creation events (Windows Event ID 4720) following BACnet OPC Client CSV file parsing.
  • The Metasploit module targets the fileformat vector (windows/fileformat/bacnet_csv); alert on BACnet OPC Client (v1.0.24 and earlier) opening .csv files from untrusted sources.
  • ·The ROP/JMP-ESP gadget address (0x7C96BF33 in user32.dll) is specific to Windows XP Service Pack 3; the exploit will not work as-is on other OS versions or patch levels.
  • ·The vulnerability is fixed in BACnet OPC Client version 1.0.25 and later; the overflow only affects versions prior to 1.0.25.
  • ·The overflow is user-assisted (requires the victim to open a crafted .csv file), making it a client-side/fileformat attack rather than a network-reachable exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.