CVE-2011-3493
published 2011-09-16CVE-2011-3493: Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7.1.1.63 and earlier allow remote attackers to cause a denial of…
PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.78%
93.9th percentile
Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7.1.1.63 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long (1) domain, (2) report_domain, (3) register_datahub, or (4) slave commands.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cogentdatahub | cogent_datahub | <= 7.1.1.63 | — |
| cogentdatahub | cogent_datahub | — | — |
| cogentdatahub | cogent_datahub | — | — |
| cogentdatahub | cogent_datahub | — | — |
| cogentdatahub | cogent_datahub | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7f\x55 (JMP ESP gadget at 0x0055007f)
- →Detect exploit attempts by monitoring for oversized (>1019 byte) string payloads in the 'domain' command sent to TCP port 4502 or 4503 targeting the Cogent DataHub protocol. ↗
- →Monitor for exploitation of the 'domain', 'report_domain', 'register_datahub', or 'slave' commands with abnormally long arguments on TCP port 4502/4503, as these are the four vulnerable command vectors. ↗
- →Alert on outbound connections from the Cogent DataHub process to port 1337, which is the bind-shell port opened by the public exploit's shellcode. ↗
- →Port 4503/TCP uses the same vulnerable protocol over SSL; inspect or block both 4502 and 4503 at the perimeter for unauthenticated DataHub traffic. ↗
- →Look for the Unicode-encoded shellcode stub (PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA...) in TCP stream payloads to port 4502 as a signature of the public exploit. ↗
- ·The exploit targets only Cogent DataHub v7 (up to 7.1.1.63); the stack Unicode overflow vector on ports 4502/4503 does not affect OPC DataHub or Cascade DataHub v6 prior to 6.4.20 in the same way. ↗
- ·Disabling or firewalling ports 4502/TCP and 4503/TCP eliminates the remote attack surface for CVE-2011-3493; this can be configured in the Tunnel/Mirror properties of DataHub. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3c26-6j36-gq3h: Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7
ghsa_unreviewed·2022-05-17
CVE-2011-3493 [HIGH] CWE-119 GHSA-3c26-6j36-gq3h: Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7
Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7.1.1.63 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long (1) domain, (2) report_domain, (3) register_datahub, or (4) slave commands.
CISA ICS
Cogent DataHub Vulnerabilities
cisa_ics·2011-09-13
Cogent DataHub Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Cogent DataHub Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-280-01
## Overview
This Advisory is a follow-up to the Alert, “ICS-ALERT-11-256-03—COGENT DATAHUB VULNERABILITIES,” that was published September 13, 2011, on the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) web page.
ICS-CERT is aware of a public report of multiple vulnerabilities in Cogent’s DataHub application. These vulnerabilities include denial-of-service, information leakage, and remote code execution. Cogent has produced a patch that resolves these vulnerabilities in Da
No detection rules found.
Exploit-DB
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
exploitdb·2011-09-22
CVE-2011-3493 Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow
---
#!/usr/bin/python
#
# Cogent Datahub > @net__ninja || @luigi_auriemma
# example usage:
# [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130
#
# -----------------------------------------------------
# ------ Cogent Datahub Unicode Overflow Exploit ------
# ------------- Found by Luigi Auriemma ---------------
# --------- SYSTEM exploit by Steven Seeley -----------
#
# (+) Sending overflow...
# (+) Getting shell..
# Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded!
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami
# whoami
# nt authority\system
#
# C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaste
Exploit-DB
Cogent DataHub 7.1.1.63 - Stack Overflow
exploitdb·2011-09-14
CVE-2011-3493 Cogent DataHub 7.1.1.63 - Stack Overflow
Cogent DataHub 7.1.1.63 - Stack Overflow
---
#######################################################################
Luigi Auriemma
Application: Cogent DataHub
http://www.cogentdatahub.com/Products/Cogent_DataHub.html
Versions: ]
#######################################################################
3) The Code
http://aluigi.org/poc/cogent_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17838.dat
nc SERVER 4052 < cogent_1.dat
port 4053 uses the same protocol via SSL.
#######################################################################
4) Fix
No fix.
#######################################################################
No writeups or analysis indexed.
2011-09-16
Published