cbcvebase.
CVE-2011-0404
published 2011-01-11

CVE-2011-0404: Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.74%
99.1th percentile
Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405, probably a different vulnerability than CVE-2007-5252.

Affected

2 ranges
VendorProductVersion rangeFixed in
netsupportnetsupport_manager_agent
netsupportnetsupport_manager_agent

Detection & IOCsextracted from sources · hover to see the quote

port5405/tcp
port5405/tcp
port4444/tcp
path/usr/nsm/daemon/clientdaemon
commandnc <host> 4444
  • Monitor TCP port 5405 for oversized connection attempts containing long hostname strings; the overflow is triggered by sending a sequence of four distinct binary trigger packets (triggerA through triggerD) in order.
  • Detect the four-stage exploit sequence on TCP/5405: look for triggerA (\x15\x00\x5a\x00 followed by 1024 x \x41), triggerB (\x25\x00\x51\x00\x81), triggerC (\x37\x00\x03\x00 header with 'ikki' / 'WORKGROUP' strings and large payload), and triggerD (\x06\x00\x07\x00\x20\x00).
  • After successful exploitation a bind-shell is opened on TCP/4444 of the victim; detect unexpected listening services on port 4444 on NetSupport Agent hosts.
  • The Metasploit module targets the process /usr/nsm/daemon/clientdaemon; monitor this process for unexpected child processes or network connections.
  • The exploit uses ROP gadgets and mmap/mprotect resolution via libc to bypass NX; look for mmap/mprotect syscalls originating from clientdaemon with PROT_EXEC (0x7) on anonymous mappings (MAP_ANONYMOUS|MAP_PRIVATE = 0x22).
  • ·The jmp-esp return address differs between agent versions (v10.50.0 vs v11.0.0); the Perl PoC hardcodes the v11.0.0 address while the Metasploit module uses a different ROP chain, so detection signatures based on exact return addresses will be version-specific.
  • ·The vulnerability was reported as still unpatched at time of original disclosure; verify current patch status with the vendor before relying solely on detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.