cbcvebase.
CVE-2011-3493
published 2011-09-16

CVE-2011-3493: Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7.1.1.63 and earlier allow remote attackers to cause a denial of…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.78%
93.9th percentile
Multiple stack-based buffer overflows in the DH_OneSecondTick function in Cogent DataHub 7.1.1.63 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long (1) domain, (2) report_domain, (3) register_datahub, or (4) slave commands.

Affected

5 ranges
VendorProductVersion rangeFixed in
cogentdatahubcogent_datahub<= 7.1.1.63
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub
cogentdatahubcogent_datahub

Detection & IOCsextracted from sources · hover to see the quote

port4502/TCP
port4502
command(domain "<1019 x 0x61>\x7f\x55<align><shellcode>")
urlhttp://aluigi.org/poc/cogent_1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17838.dat
pathC:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster
commandnc SERVER 4052 < cogent_1.dat
port4053/TCP
bytes
\x7f\x55 (JMP ESP gadget at 0x0055007f)
  • Detect exploit attempts by monitoring for oversized (>1019 byte) string payloads in the 'domain' command sent to TCP port 4502 or 4503 targeting the Cogent DataHub protocol.
  • Monitor for exploitation of the 'domain', 'report_domain', 'register_datahub', or 'slave' commands with abnormally long arguments on TCP port 4502/4503, as these are the four vulnerable command vectors.
  • Alert on outbound connections from the Cogent DataHub process to port 1337, which is the bind-shell port opened by the public exploit's shellcode.
  • Port 4503/TCP uses the same vulnerable protocol over SSL; inspect or block both 4502 and 4503 at the perimeter for unauthenticated DataHub traffic.
  • Look for the Unicode-encoded shellcode stub (PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA...) in TCP stream payloads to port 4502 as a signature of the public exploit.
  • ·The exploit targets only Cogent DataHub v7 (up to 7.1.1.63); the stack Unicode overflow vector on ports 4502/4503 does not affect OPC DataHub or Cascade DataHub v6 prior to 6.4.20 in the same way.
  • ·Disabling or firewalling ports 4502/TCP and 4503/TCP eliminates the remote attack surface for CVE-2011-3493; this can be configured in the Tunnel/Mirror properties of DataHub.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.