cbcvebase.
CVE-2011-2900
published 2011-08-05

CVE-2011-2900: Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server…

PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.26%
95.9th percentile
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.

Affected

3 ranges
VendorProductVersion rangeFixed in
shttpdshttpd
valenokmongoose
yasslyasslews

Detection & IOCsextracted from sources · hover to see the quote

commandPUT /<path> HTTP/1.0
commandPUT /<buf>/ HTTP/1.0
pathmongoose.c
pathyasslEWS.c
pathio_dir.c
bytes
%01%10%8F%E2%11%FF%2F%E1%02%20%01%21%92%1A%0F%02%19%37%01%DF%06%1C%08%A1%10%22%02%37%01%DF%3F%27%02%21%30%1c%01%df%01%39%FB%D5%05%A0%92%1A%05%b4%69%46%0b%27%01%DF%C0%46%02%00%11%5c
  • Detect HTTP PUT requests with excessively long path segments (>107 bytes) targeting the root or directory paths, indicative of buffer overflow exploitation against put_dir()
  • Look for ARM connect-back shellcode pattern in HTTP PUT request body/path: URL-encoded bytes starting with %01%10%8F%E2%11%FF%2F%E1
  • The exploit targets port 80 with HTTP/1.0 PUT requests; monitor for repeated stack-lifting gadget pattern '%a0%ce%31%40' appearing multiple times (26+) in a single PUT request URI
  • The vulnerability is only exploitable for RCE when the server is NOT compiled with -DNDEBUG; when compiled with assert enabled (default Fedora), the result is DoS only via assert abort
  • Exploitation was observed in the wild in 2011 against sfr/ubiquisys femtocell webservers running shttpd/mongoose; prioritize detection on embedded/IoT HTTP servers
  • ·RCE is only achievable when the vulnerable server is compiled WITHOUT -DNDEBUG; servers compiled with assert enabled (e.g., default Fedora builds) will crash/DoS instead of allowing code execution
  • ·The RCE exploit's shellcode address (SHELLCODE = 0xbc568) and heap layout assumptions are specific to the sfr/ubiquisys femtocell target where the heap is not randomized; ASLR-enabled systems require different offsets
  • ·The RCE exploit uses ARM-architecture ROP gadgets and shellcode; it is not directly applicable to x86/x86-64 deployments of the same vulnerable software

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.