cbcvebase.
CVE-2011-3322
published 2011-09-15

CVE-2011-3322: Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon SCADA 1.06, and other versions before 1.14, allows remote attackers to cause a denial of…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.31%
99.2th percentile
Core Server HMI Service (Coreservice.exe) in Scadatec Limited Procyon SCADA 1.06, and other versions before 1.14, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password to the Telnet (TCP/23) port, which triggers an out-of-bounds read or write, leading to a stack-based buffer overflow.

Affected

2 ranges
VendorProductVersion rangeFixed in
scadatecprocyon_scada
scadatecprocyon_scada

Detection & IOCsextracted from sources · hover to see the quote

portTCP/23
processCoreservice.exe
otherJMP ESP [user32.dll] @ 0x774699bf
otherROP gadget oleaut32.dll @ 0x1D847770
otheregghunter tag: 'ssec'
bytes
BadChars: \x00\x0a\x0d
  • Detect exploit attempts by monitoring for oversized password strings (>45 bytes) sent to TCP port 23 on Procyon SCADA systems running Coreservice.exe
  • Fingerprint vulnerable Procyon versions by checking the Telnet banner response for 'Core Command Interface V1.' followed by a version number less than 14 (i.e., V1.xx where xx < 14)
  • Look for the egghunter tag 'ssec' in TCP/23 traffic payloads as a strong indicator of active exploitation using the known Metasploit module
  • Monitor for structured exception handler (SEH) overwrite patterns on the stack in Coreservice.exe; the overflow overwrites an SEH record to achieve code execution
  • Alert on unauthenticated inbound connections to TCP/23 on SCADA/ICS hosts, particularly those sending large payloads during the password prompt phase
  • ·The ROP/JMP gadget addresses (0x774699bf in user32.dll, 0x1D847770 in oleaut32.dll) are specific to Windows XP SP3 with no DEP bypass; they will not apply to other OS versions or patch levels
  • ·The Metasploit module targets Procyon Core Server <= v1.13 only; version 1.14 fully resolves the vulnerability and should not be affected
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.