cbcvebase.
CVE-2011-1567
published 2011-04-05

CVE-2011-1567: Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.62%
99.3th percentile
Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401.

Detection & IOCsextracted from sources · hover to see the quote

port12401/tcp
port12397/tcp
processIGSSdataServer.exe
processdc.exe
commandnc SERVER 12401 < igss_6.dat
commandnc SERVER 12401 < igss_7.dat
commandnc SERVER 12397 < igss_8a.dat
commandnc SERVER 12397 < igss_8b.dat
bytes
\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00
bytes
\x00\x04\x01\x00\x34\x12\x07\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00
  • Detect exploitation of CVE-2011-1567 by monitoring for oversized TCP payloads to port 12401 containing opcode bytes 0x0D (ListAll/WriteFile/ReadFile/Delete/RenameFile/FileInfo), 0x07 (RMS report template commands Add/ReadFile/WriteFile/Rename/Delete), or 0x08 (STDREP command 0x04). The packet header pattern starts with \x00\x04\x01\x00\x34\x12 followed by the opcode byte.
  • Monitor TCP port 12397 for directory traversal sequences in opcode 0x0A or 0x17 payloads sent to dc.exe, which can be used to execute arbitrary executables on disk.
  • The Metasploit exploit for the ListAll command uses eggtag 'w00t' for the egghunter stage. Scanning memory or network traffic for this egg tag can identify active exploitation attempts.
  • The Metasploit exploit for the Rename command uses eggtag 'W00T' for the egghunter stage. Scanning memory or network traffic for this egg tag can identify active exploitation attempts.
  • The STDREP (opcode 0x8) command 0x4 overflow is triggered via a SQL query built with sprintf into a 256-byte stack buffer using the format string 'UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)'. Oversized input to this path causes the overflow.
  • The exploit uses a ROP pivot gadget in dao360.dll at address 0x1b77ca8c (ADD ESP,1388; RETN) for DEP bypass on Windows XP SP3/2003 Server R2 SP2. Presence of this ROP gadget address in network traffic to port 12401 is a strong indicator of exploitation.
  • The Rename exploit uses a ROP pivot in MSJET40.dll at 0x1B0938B8 (ADD ESP,910; RETN 10) for Windows XP SP3 and 0x1B093622 for Windows Server 2003 SP2/R2 SP2. These addresses in TCP payloads to port 12401 indicate exploitation.
  • The exploit attack is unauthenticated — no credentials are required to trigger the buffer overflow on IGSSdataServer.exe port 12401. Any unexpected large TCP connection to port 12401 from external hosts should be treated as suspicious.
  • ·The vulnerability affects IGSSdataServer.exe version 9.00.00.11063 and earlier. Versions beyond this are not confirmed vulnerable.
  • ·The STDREP (opcode 0x8, command 0x4) and RMS opcode 0x7 overflows were noted as not clearly exploitable for code execution at time of disclosure, though DoS is confirmed.
  • ·The Metasploit Rename exploit relies on a three-stage attack: first injecting payload into memory, then sending an Add command to obtain a valid ID, then triggering the Rename overflow with an egghunter. Single-stage detection may miss the full attack chain.
  • ·The ROP chains in the public exploits reference specific DLL versions (dao360.dll, MSJET40.dll, msjtes40.dll) that must be present on the target. ROP gadget addresses will differ if different DLL versions are loaded.
  • ·After payload execution, IGSSdataServer.exe is expected to automatically recover, which may complicate post-exploitation forensics.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.