CVE-2011-5012
published 2011-12-25CVE-2011-5012: Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions), as used in Attachmate Reflection 2008, Reflection…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.85%
93.9th percentile
Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions), as used in Attachmate Reflection 2008, Reflection 2011 R1 before 15.3.2.569 and R1 SP1 before, Reflection 2011 R2 before 15.4.1.327, Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186, and Reflection 14.1 SP1 before 14.1.1.206, allows remote FTP servers to execute arbitrary code via a long directory name in a response to a LIST command.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| attachmate | reflection | — | — |
| attachmate | reflection | — | — |
| attachmate | reflection_2008r1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
41*296 + 44434241 ("AAAA...AAAA" * 296 + "DCBA")- →Detect anomalously long directory name entries (>296 bytes) in FTP LIST command responses, which trigger the heap overflow in rftpcom.dll. ↗
- →Monitor for FTP LIST responses containing directory name fields exceeding 296 bytes; the exploit uses exactly 296 'A' bytes followed by a 4-byte overwrite value ('DCBA') to corrupt the heap. ↗
- →The exploit sets EXITFUNC to 'thread' and uses bad characters \x00\xff\x0d\x5c\x2f\x0a in payload; shellcode in FTP LIST responses avoiding these bytes is a strong indicator of exploitation. ↗
- →The Metasploit module acts as a rogue FTP server; look for FTP servers sending '150 Here comes the directory listing.' followed by '226 Directory send ok.' with an oversized LIST data payload. ↗
- ·The exploit targets XP SP3 Universal with a fixed heap offset of 300 bytes; the offset and target address may differ on other Windows versions, limiting direct reuse of the PoC on non-XP SP3 systems. ↗
- ·The vulnerable DLL version is listed as 7.2.0.106 but NVD notes 'possibly other versions', so version-based detection alone may miss affected installations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/46879http://support.attachmate.com/techdocs/1708.htmlhttp://support.attachmate.com/techdocs/2288.htmlhttp://support.attachmate.com/techdocs/2502.htmlhttp://www.exploit-db.com/exploits/18119http://www.osvdb.org/77189http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=29&Itemid=29http://www.securitytracker.com/id?1026340https://exchange.xforce.ibmcloud.com/vulnerabilities/71330http://secunia.com/advisories/46879http://support.attachmate.com/techdocs/1708.htmlhttp://support.attachmate.com/techdocs/2288.htmlhttp://support.attachmate.com/techdocs/2502.htmlhttp://www.exploit-db.com/exploits/18119http://www.osvdb.org/77189http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=29&Itemid=29http://www.securitytracker.com/id?1026340https://exchange.xforce.ibmcloud.com/vulnerabilities/71330
2011-12-25
Published