cbcvebase.
CVE-2011-5124
published 2012-08-26

CVE-2011-5124: Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.65%
98.9th percentile
Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp).

Affected

12 ranges
VendorProductVersion rangeFixed in
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg
bluecoatproxysg

Detection & IOCsextracted from sources · hover to see the quote

port16102/tcp
processbcaaa-130.exe
bytes
EBAB
  • Monitor for large inbound packets to TCP port 16102 targeting the BCAAA synchronization service; anomalously large packets are the exploit delivery vector.
  • Detect exploit attempts by looking for the static 4-byte marker 'EBAB' within TCP payloads on port 16102; this marker is embedded in the Metasploit exploit buffer between the payload and the stack pivot.
  • Alert on multiple rapid connection attempts to port 16102 from the same source IP; the exploit module retries up to 3–5 times by default to achieve code execution.
  • Look for ROP gadget addresses from MSVCR71.dll, MSVCP71.dll, MSVCR70.dll, and SmAgentAPI.dll (e.g., 0x7c346c0a, 0x1003800C) within TCP payloads on port 16102 as indicators of the DEP/ASLR bypass chain.
  • Payload space is constrained to 936 bytes and null bytes (0x00) are bad characters; shellcode delivered on port 16102 will be null-free and ≤936 bytes.
  • ·The ROP chain targets specific DLL versions (MSVCR71.dll, MSVCP71.dll, MSVCR70.dll, SmAgentAPI.dll) with hardcoded addresses; the exploit only reliably works against BCAAA Version 5.4.6.1.54128 on Windows where these DLLs are loaded at the expected base addresses.
  • ·The exploit is not privileged by default ('Privileged' => false), meaning the resulting shell runs under the BCAAA service account context rather than SYSTEM.
  • ·The vulnerability affects BCAAA builds before 60258; patching to build 60258 or later remediates the overflow.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.