CVE-2011-3322
published 2011-09-15CVE-2011-3322: Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon SCADA 1.06, and other versions before 1.14, allows remote attackers to cause a denial of…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.31%
99.2th percentile
Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon SCADA 1.06, and other versions before 1.14, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password to the Telnet (TCP/23) port, which triggers an out-of-bounds read or write, leading to a stack-based buffer overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scadatec | procyon_scada | — | — |
| scadatec | procyon_scada | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x0a\x0d
- →Detect exploit attempts by monitoring for oversized password strings (>45 bytes) sent to TCP port 23 on Procyon SCADA systems running Coreservice.exe ↗
- →Fingerprint vulnerable Procyon versions by checking the Telnet banner response for 'Core Command Interface V1.' followed by a version number less than 14 (i.e., V1.xx where xx < 14) ↗
- →Look for the egghunter tag 'ssec' in TCP/23 traffic payloads as a strong indicator of active exploitation using the known Metasploit module ↗
- →Monitor for structured exception handler (SEH) overwrite patterns on the stack in Coreservice.exe; the overflow overwrites an SEH record to achieve code execution ↗
- →Alert on unauthenticated inbound connections to TCP/23 on SCADA/ICS hosts, particularly those sending large payloads during the password prompt phase ↗
- ·The ROP/JMP gadget addresses (0x774699bf in user32.dll, 0x1D847770 in oleaut32.dll) are specific to Windows XP SP3 with no DEP bypass; they will not apply to other OS versions or patch levels ↗
- ·The Metasploit module targets Procyon Core Server <= v1.13 only; version 1.14 fully resolves the vulnerability and should not be affected ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cp7-gfgq-44x8: Core Server HMI Service (Coreservice
ghsa_unreviewed·2022-05-17
CVE-2011-3322 [HIGH] CWE-119 GHSA-5cp7-gfgq-44x8: Core Server HMI Service (Coreservice
Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon SCADA 1.06, and other versions before 1.14, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password to the Telnet (TCP/23) port, which triggers an out-of-bounds read or write, leading to a stack-based buffer overflow.
CISA ICS
Scadatec Limited Procyon Telnet Buffer Overflow
cisa_ics·2018-09-06
Scadatec Limited Procyon Telnet Buffer Overflow
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Scadatec Limited Procyon Telnet Buffer Overflow
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-216-01
## Overview
ICS-CERT originally released Advisory ICSA-11-216-01P on the US-CERT Portal on August 04, 2011. This web page release was delayed to allow users sufficient time to download and install the update.
ICS-CERT has received a report from Knud Højgaard of the nSense Vulnerability Coordination Team concerning a vulnerability in the Scadatec Limited Procyon human-machine interface/supervisory control and data acquisition (HMI/SCADA) product. This vulnerability could allow
No detection rules found.
Exploit-DB
Procyon Core Server HMI 1.13 - 'Coreservice.exe' Remote Stack Buffer Overflow (Metasploit)
exploitdb·2011-09-12·CVSS 10.0
CVE-2011-3322 [CRITICAL] Procyon Core Server HMI 1.13 - 'Coreservice.exe' Remote Stack Buffer Overflow (Metasploit)
Procyon Core Server HMI 1.13 - 'Coreservice.exe' Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: procyon_core_server.rb 13724 2011-09-12 21:42:36Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Procyon Core Server HMI %q{
This module exploits a vulnerability in the coreservice.exe component of Proycon
Core Server MSF_LICENSE,
'Version' => '$Revision: 13724 $',
'Author' =>
[
'Knud Højgaard ', # Initial discovery
'mr_me ', # Initial discovery & poc/msf
],
'References' =>
[
['CVE', 'CVE-2011-3322'],
['OSVDB', '75371'],
['UR
Metasploit
Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow
metasploit
Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow
Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow
This module exploits a vulnerability in the coreservice.exe component of Proycon Core Server <= v1.13. While processing a password, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, Coreservice.exe should automatically recover.
No writeups or analysis indexed.
http://osvdb.org/75371http://secunia.com/advisories/45866http://securityreason.com/securityalert/8374http://www.exploit-db.com/exploits/17827http://www.securityfocus.com/bid/49480http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflowhttp://www.uscert.gov/control_systems/pdf/ICSA-11-216-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69632http://osvdb.org/75371http://secunia.com/advisories/45866http://securityreason.com/securityalert/8374http://www.exploit-db.com/exploits/17827http://www.securityfocus.com/bid/49480http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflowhttp://www.uscert.gov/control_systems/pdf/ICSA-11-216-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69632
2011-09-15
Published