CVE-2010-4740
published 2011-02-16CVE-2010-4740: Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC Client before 1.0.25 allows user-assisted remote attackers to execute arbitrary code via…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.62%
98.5th percentile
Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC Client before 1.0.25 allows user-assisted remote attackers to execute arbitrary code via a crafted .csv file, related to a status log message.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scadaengine | bacnet_opc_client | <= 1.0.24 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36
- →Malicious CSV file triggers the overflow; look for CSV files with the header 'OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME' followed by an abnormally long field (185+ bytes of junk + 4-byte return address + shellcode) being opened by the BACnet OPC Client process. ↗
- →The overflow occurs in WTclient.dll when parsing a status log message from a crafted .csv file; monitor for anomalous stack pivots or JMP ESP gadget hits at 0x7C96BF33 in user32.dll on Windows XP SP3 systems running BACnet OPC Client. ↗
- →The exploit payload creates a local user account (USER=sploit, PASS=ware); monitor for unexpected local account creation events (Windows Event ID 4720) following BACnet OPC Client CSV file parsing. ↗
- →The Metasploit module targets the fileformat vector (windows/fileformat/bacnet_csv); alert on BACnet OPC Client (v1.0.24 and earlier) opening .csv files from untrusted sources. ↗
- ·The ROP/JMP-ESP gadget address (0x7C96BF33 in user32.dll) is specific to Windows XP Service Pack 3; the exploit will not work as-is on other OS versions or patch levels. ↗
- ·The vulnerability is fixed in BACnet OPC Client version 1.0.25 and later; the overflow only affects versions prior to 1.0.25. ↗
- ·The overflow is user-assisted (requires the victim to open a crafted .csv file), making it a client-side/fileformat attack rather than a network-reachable exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vp93-v8xp-q5r9: Stack-based buffer overflow in WTclient
ghsa_unreviewed·2022-05-17
CVE-2010-4740 [HIGH] CWE-119 GHSA-vp93-v8xp-q5r9: Stack-based buffer overflow in WTclient
Stack-based buffer overflow in WTclient.dll in SCADA Engine BACnet OPC Client before 1.0.25 allows user-assisted remote attackers to execute arbitrary code via a crafted .csv file, related to a status log message.
CISA ICS
GLEG Agora SCADA+ Exploit Pack
cisa_ics·2018-09-06
GLEG Agora SCADA+ Exploit Pack
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GLEG Agora SCADA+ Exploit Pack
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-096-01
## OVERVIEW
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared t
No detection rules found.
Exploit-DB
BACnet OPC Client - Local Buffer Overflow (1)
exploitdb·2010-09-16
CVE-2010-4740 BACnet OPC Client - Local Buffer Overflow (1)
BACnet OPC Client - Local Buffer Overflow (1)
---
#!/usr/bin/python
# bacnet.py
# BACnet OPC Client Buffer Overflow Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# Sept 2010
#
# After communicating via several emails with the vendor, sharing details
# about the vulnerability, as well as proof-of-concept code (I also offered
# to send the exploit code for them to test themselves), it was clear that
# they weren't very interested in fixing the vulnerability. They even ended our
# conversation with "Hi Jeremy, thanks but please don't waste my time.", and
# quickly became unresponsive to further communication. A couple days later, I
# notified them know of my plans to release exploit code to the public, proving
# the vulnerability, since they weren't planning on releasing a fix. They didn't
Metasploit
BACnet OPC Client Buffer Overflow
metasploit
BACnet OPC Client Buffer Overflow
BACnet OPC Client Buffer Overflow
This module exploits a stack buffer overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed.
No writeups or analysis indexed.
http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txthttp://secunia.com/advisories/41466http://securityreason.com/securityalert/8083http://www.kb.cert.org/vuls/id/660688http://www.securityfocus.com/bid/43289http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdfhttp://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txthttp://secunia.com/advisories/41466http://securityreason.com/securityalert/8083http://www.kb.cert.org/vuls/id/660688http://www.securityfocus.com/bid/43289http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf
2011-02-16
Published