CVE-2011-0517
published 2011-01-20CVE-2011-0517: Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of…
PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.46%
98.5th percentile
Stack-based buffer overflow in Sielco Sistemi Winlog Pro 2.07.00 and earlier, when Run TCP/IP server is enabled, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted 0x02 opcode to TCP port 46823.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sielcosistemi | winlog_pro | <= 2.07.00 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on TCP connections to port 46823 where the first byte of the payload is 0x02 followed by bytes 0x01 0x01 — this matches the malicious opcode header used to trigger the overflow. ↗
- →Alert on TCP payloads to port 46823 exceeding ~588 bytes following the 3-byte opcode header (0x02 0x01 0x01), as the overflow requires ~588 bytes of padding before the SEH overwrite. ↗
- →Monitor for the Metasploit post-exploitation default option 'migrate -f' immediately after exploitation of this vulnerability, indicating process migration following shellcode execution. ↗
- →The vulnerable function at offset 0x00446795 in Runtime.exe performs an unbounded memcpy into a ~60-byte stack buffer; stack canary or DEP absence on this process is a prerequisite for exploitation. ↗
- →The exploit uses a structured exception handler (SEH) overwrite technique; detection of SEH-chain corruption in Runtime.exe is a strong indicator of active exploitation. ↗
- ·The vulnerability is only exploitable when the TCP/IP server feature is explicitly enabled in the Winlog project configuration; installations without this option are not exposed remotely. ↗
- ·The Metasploit module targets only Winlog Lite 2.07.00 with a hardcoded return address; other builds or versions may require a different RET value and the exploit may not function reliably against them. ↗
- ·Payload bad characters include null bytes, spaces, newlines, and carriage returns; shellcode must be encoded to avoid these bytes or delivery will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sielco Sistemi Winlog - Remote Buffer Overflow (Metasploit)
exploitdb·2011-06-21
CVE-2011-0517 Sielco Sistemi Winlog - Remote Buffer Overflow (Metasploit)
Sielco Sistemi Winlog - Remote Buffer Overflow (Metasploit)
---
##
# $Id: winlog_runtime.rb 13000 2011-06-21 22:42:53Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sielco Sistemi Winlog Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Sielco
Sistem Winlog [ 'Luigi Auriemma', 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13000 $',
'References' =>
[
[ 'CVE', '2011-0517' ],
[ 'OSVDB', '70418'],
[ 'URL', 'http://aluigi.org/adv/winlog_1-adv.txt' ],
],
'Privileged' => false,
'DefaultOptio
Exploit-DB
Sielco Sistemi Winlog 2.07.00 - Stack Overflow
exploitdb·2011-01-14
CVE-2011-0517 Sielco Sistemi Winlog 2.07.00 - Stack Overflow
Sielco Sistemi Winlog 2.07.00 - Stack Overflow
---
Source: http://aluigi.org/adv/winlog_1-adv.txt
#######################################################################
Luigi Auriemma
Application: Sielco Sistemi Winlog
http://www.sielcosistemi.com/en/products/winlog_scada_hmi/
Versions: Options->TCP/IP" section of the project we want to run
and Runtime.exe will listen on the TCP port 46823.
The opcode 0x02 of the protocol is used for the handling of some
strings received by the client and the calling of one of the
_TCPIP_WriteNumValueFP, _TCPIP_WriteDigValueFP or _TCPIP_WriteStrValueFP
functions depending by the type of data.
They use all the same function starting from offset 00446795 for the
parsing of the data and it's vulnerable to a stack overflow while
copying the input data
Metasploit
Sielco Sistemi Winlog Buffer Overflow
metasploit
Sielco Sistemi Winlog Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.00. When sending a specially formatted packet to the Runtime.exe service, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://aluigi.org/adv/winlog_1-adv.txthttp://osvdb.org/70418http://secunia.com/advisories/42894http://securityreason.com/securityalert/8280http://www.exploit-db.com/exploits/15992http://www.kb.cert.org/vuls/id/496040http://www.securityfocus.com/bid/45813http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdfhttp://www.vupen.com/english/advisories/2011/0126https://exchange.xforce.ibmcloud.com/vulnerabilities/64716http://aluigi.org/adv/winlog_1-adv.txthttp://osvdb.org/70418http://secunia.com/advisories/42894http://securityreason.com/securityalert/8280http://www.exploit-db.com/exploits/15992http://www.kb.cert.org/vuls/id/496040http://www.securityfocus.com/bid/45813http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdfhttp://www.vupen.com/english/advisories/2011/0126https://exchange.xforce.ibmcloud.com/vulnerabilities/64716
2011-01-20
Published