CVE-2011-0647
published 2011-02-10CVE-2011-0647: The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.68%
99.1th percentile
The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emc | networker_module | — | — |
| emc | networker_module | — | — |
| emc | replication_manager | <= 5.2.3 | — |
| emc | replication_manager | — | — |
| emc | replication_manager | — | — |
| emc | replication_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
1HELLOEMC00000000000000000000000
bytes↗
EMC_Len00000001361
- →Monitor for inbound TCP connections to port 6542 targeting irccd.exe; any connection from an external/untrusted host should be treated as suspicious. ↗
- →Detect exploit handshake by inspecting TCP payloads on port 6542 for the literal string '1HELLOEMC' followed by null-padded bytes, which is the initial hello beacon sent by the attacker. ↗
- →Detect session-establishment packets by looking for the pattern 'EMC_Len' followed by a numeric length field on port 6542; this prefix is used for both session setup and RunProgram command delivery. ↗
- →Alert on irccd.exe spawning cmd.exe or any child process, as exploitation results in arbitrary command execution with SYSTEM privileges via the RunProgram function. ↗
- →The Metasploit module uses a VBS CmdStager payload ('CmdStagerFlavor' => 'vbs'); look for irccd.exe writing or executing .vbs files on disk as a post-exploitation indicator. ↗
- →Server responds with 'RAWHELLO' to the initial hello probe; network signatures can match this response string on port 6542 to fingerprint vulnerable/exposed instances. ↗
- ·The exploit module targets only Windows x86 (XP and Windows 2003) with a native payload space of 4096 bytes; detection logic should not assume exploitation on 64-bit or non-Windows platforms. ↗
- ·EMC Networker Module for Microsoft Applications 2.1 and 2.2 may also expose the vulnerable service on port 6542, but the Metasploit module was not tested against those products; coverage should extend beyond Replication Manager. ↗
- ·The module uses a WfsDelay of 5 seconds and a linemax of 5000 bytes for the CmdStager; timing-based detections should account for this deliberate delay between stager chunks. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EMC Replication Manager < 5.3 - Command Execution (Metasploit)
exploitdb·2011-02-27
CVE-2011-0647 EMC Replication Manager < 5.3 - Command Execution (Metasploit)
EMC Replication Manager 'EMC Replication Manager Command Execution',
'Description' => %q{
This module exploits a remote command-injection vulnerability in EMC Replication Manager
client (irccd.exe). By sending a specially crafted message invoking RunProgram function an
attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected
products are EMC Replication Manager
[
'Unknown', #Initial discovery
'Davy Douhine' #MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-0647' ],
[ 'OSVDB', '70853' ],
[ 'BID', '46235' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],
[ 'ZDI', '11-061' ]
],
'DisclosureDate' => 'Feb 07 2011',
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'Targets' =>
[
# Test
Metasploit
EMC Replication Manager Command Execution
metasploit
EMC Replication Manager Command Execution
EMC Replication Manager Command Execution
This module exploits a remote command-injection vulnerability in EMC Replication Manager client (irccd.exe). By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected products are EMC Replication Manager < 5.3. This module has been successfully tested against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested against these products.
No writeups or analysis indexed.
http://osvdb.org/70853http://secunia.com/advisories/43164http://www.securityfocus.com/archive/1/516260http://www.securityfocus.com/archive/1/516282/100/0/threadedhttp://www.securityfocus.com/bid/46235http://www.vupen.com/english/advisories/2011/0304http://www.zerodayinitiative.com/advisories/ZDI-11-061/https://exchange.xforce.ibmcloud.com/vulnerabilities/65205http://osvdb.org/70853http://secunia.com/advisories/43164http://www.securityfocus.com/archive/1/516260http://www.securityfocus.com/archive/1/516282/100/0/threadedhttp://www.securityfocus.com/bid/46235http://www.vupen.com/english/advisories/2011/0304http://www.zerodayinitiative.com/advisories/ZDI-11-061/https://exchange.xforce.ibmcloud.com/vulnerabilities/65205
2011-02-10
Published