CVE-2011-0404
published 2011-01-11CVE-2011-0404: Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.74%
99.1th percentile
Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405, probably a different vulnerability than CVE-2007-5252.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netsupport | netsupport_manager_agent | — | — |
| netsupport | netsupport_manager_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 5405 for oversized connection attempts containing long hostname strings; the overflow is triggered by sending a sequence of four distinct binary trigger packets (triggerA through triggerD) in order. ↗
- →Detect the four-stage exploit sequence on TCP/5405: look for triggerA (\x15\x00\x5a\x00 followed by 1024 x \x41), triggerB (\x25\x00\x51\x00\x81), triggerC (\x37\x00\x03\x00 header with 'ikki' / 'WORKGROUP' strings and large payload), and triggerD (\x06\x00\x07\x00\x20\x00). ↗
- →After successful exploitation a bind-shell is opened on TCP/4444 of the victim; detect unexpected listening services on port 4444 on NetSupport Agent hosts. ↗
- →The Metasploit module targets the process /usr/nsm/daemon/clientdaemon; monitor this process for unexpected child processes or network connections. ↗
- →The exploit uses ROP gadgets and mmap/mprotect resolution via libc to bypass NX; look for mmap/mprotect syscalls originating from clientdaemon with PROT_EXEC (0x7) on anonymous mappings (MAP_ANONYMOUS|MAP_PRIVATE = 0x22). ↗
- ·The jmp-esp return address differs between agent versions (v10.50.0 vs v11.0.0); the Perl PoC hardcodes the v11.0.0 address while the Metasploit module uses a different ROP chain, so detection signatures based on exact return addresses will be version-specific. ↗
- ·The vulnerability was reported as still unpatched at time of original disclosure; verify current patch status with the vendor before relying solely on detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)
exploitdb·2011-03-03
CVE-2011-0404 NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)
NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: netsupport_manager_agent.rb 11868 2011-03-03 01:04:47Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NetSupport Manager Agent Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in NetSupport Manager Agent. It
uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.
},
'Author' =>
[
'Luca Carettoni (@_ikki)', # original discovery / exploit
'Evan', # ported from exploit-db exploit
'jduck' #
Exploit-DB
NetSupport Manager Agent - Remote Buffer Overflow (1)
exploitdb·2011-01-08
CVE-2011-0404 NetSupport Manager Agent - Remote Buffer Overflow (1)
NetSupport Manager Agent - Remote Buffer Overflow (1)
---
#!/usr/bin/perl
#
# NetSupport Manager Agent Remote Buffer Overflow
# Product details: http://www.netsupportmanager.com/
#
# This vulnerability affects the following software:
#
# [Vulnerable]
# NetSupport Manager for Linux v11.00 and likely all previous
# NetSupport Manager for Solaris v9.50 and likely all previous
# NetSupport Manager for Mac OS X v11.00 and likely all previous
#
# [Not Vulnerable]
# Netsupport Manager for Windows v11.00
#
# [Unknown]
# Netsupport Manager for Windows CE v11.00
# Netsupport Manager for Pocket PC v11.00
# NetSupport Manager for DOS v7.01
# Other products based on the same codebase (e.g. NetSupport School)
#
# This exploit has been tested against:
# - NetSupport Manager Linux agent v10.50.0
# - Net
Metasploit
NetSupport Manager Agent Remote Buffer Overflow
metasploit
NetSupport Manager Agent Remote Buffer Overflow
NetSupport Manager Agent Remote Buffer Overflow
This module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.
http://archives.neohapsis.com/archives/fulldisclosure/2011-01/0090.htmlhttp://osvdb.org/70408http://secunia.com/advisories/42794http://www.exploit-db.com/exploits/15937http://www.exploit-db.com/exploits/16838http://www.ikkisoft.com/stuff/netsupport_linux.txthttp://www.securityfocus.com/bid/45728http://www.securitytracker.com/id?1024943http://www.vupen.com/english/advisories/2011/0062https://exchange.xforce.ibmcloud.com/vulnerabilities/64546http://archives.neohapsis.com/archives/fulldisclosure/2011-01/0090.htmlhttp://osvdb.org/70408http://secunia.com/advisories/42794http://www.exploit-db.com/exploits/15937http://www.exploit-db.com/exploits/16838http://www.ikkisoft.com/stuff/netsupport_linux.txthttp://www.securityfocus.com/bid/45728http://www.securitytracker.com/id?1024943http://www.vupen.com/english/advisories/2011/0062https://exchange.xforce.ibmcloud.com/vulnerabilities/64546
2011-01-11
Published