cbcvebase.
CVE-2011-1563
published 2011-04-05

CVE-2011-1563: Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.64%
99.4th percentile
Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via (1) a long username in an On_FC_CONNECT_FCS_LOGIN packet, and crafted (2) On_FC_CTAGLIST_FCS_CADDTAG, (3) On_FC_CTAGLIST_FCS_CDELTAG, (4) On_FC_CTAGLIST_FCS_ADDTAGMS, (5) On_FC_RFUSER_FCS_LOGIN, (6) unspecified "On_FC_BINFILE_FCS_*FILE", (7) On_FC_CGETTAG_FCS_GETTELEMETRY, (8) On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, (9) On_FC_CGETTAG_FCS_SETTELEMETRY, (10) On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY, and (11) On_FC_SCRIPT_FCS_STARTPROG packets to port 910.

Affected

3 ranges
VendorProductVersion rangeFixed in
realflexrealwin<= 2.1
realflexrealwin
realflexrealwin

Detection & IOCsextracted from sources · hover to see the quote

port910
commandnc SERVER 910 < realwin_5?.dat
commandnc SERVER 910 < realwin_6?.dat
commandnc SERVER 910 < realwin_7?.dat
commandnc SERVER 910 < realwin_8.dat
pathC:\Program Files\DATAC\Real Win\RW-version\
pathC:\Program Files\DATAC\Real.Win\DemoRW-1.06\\realflex\data\crt\fwd\tel\%s.tel
  • Detect exploitation attempts by monitoring for large/malformed On_FC_CONNECT_FCS_LOGIN packets containing an oversized username field sent to TCP port 910.
  • Monitor TCP port 910 for On_FC_BINFILE_FCS_*FILE packets with oversized filename fields that would overflow the stack buffer used in the inline memcpy routine.
  • Detect On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, On_FC_CGETTAG_FCS_SETTELEMETRY, and On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets on port 910 with input strings longer than ~200 bytes (stack buffer size for the sprintf path construction).
  • Detect On_FC_SCRIPT_FCS_STARTPROG packets on port 910 with input strings exceeding ~4096 bytes (stack buffer size).
  • Detect On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets on port 910 where the attacker-supplied 32-bit size value is crafted to cause a heap overflow (integer overflow in allocation: size + 0x16).
  • ·The vulnerable version is RealWin 2.1 (Build 6.1.10.10) and earlier; the Metasploit module for On_FC_CONNECT_FCS_LOGIN was tested against Build 6.0.10.10, and the On_FC_BINFILE module was tested against version 2.0 (Build 6.1.8.10) — confirm exact build before deploying exploit-based detection.
  • ·No vendor fix was available at time of disclosure; detection/mitigation must rely on network-level controls blocking port 910.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.