CVE-2011-5124
published 2012-08-26CVE-2011-5124: Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.65%
98.9th percentile
Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp).
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
| bluecoat | proxysg | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
EBAB
- →Monitor for large inbound packets to TCP port 16102 targeting the BCAAA synchronization service; anomalously large packets are the exploit delivery vector. ↗
- →Detect exploit attempts by looking for the static 4-byte marker 'EBAB' within TCP payloads on port 16102; this marker is embedded in the Metasploit exploit buffer between the payload and the stack pivot. ↗
- →Alert on multiple rapid connection attempts to port 16102 from the same source IP; the exploit module retries up to 3–5 times by default to achieve code execution. ↗
- →Look for ROP gadget addresses from MSVCR71.dll, MSVCP71.dll, MSVCR70.dll, and SmAgentAPI.dll (e.g., 0x7c346c0a, 0x1003800C) within TCP payloads on port 16102 as indicators of the DEP/ASLR bypass chain. ↗
- →Payload space is constrained to 936 bytes and null bytes (0x00) are bad characters; shellcode delivered on port 16102 will be null-free and ≤936 bytes. ↗
- ·The ROP chain targets specific DLL versions (MSVCR71.dll, MSVCP71.dll, MSVCR70.dll, SmAgentAPI.dll) with hardcoded addresses; the exploit only reliably works against BCAAA Version 5.4.6.1.54128 on Windows where these DLLs are loaded at the expected base addresses. ↗
- ·The exploit is not privileged by default ('Privileged' => false), meaning the resulting shell runs under the BCAAA service account context rather than SYSTEM. ↗
- ·The vulnerability affects BCAAA builds before 60258; patching to build 60258 or later remediates the overflow. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Blue Coat Authentication and Authorization Agent (BCAAA) 5 - Remote Buffer Overflow (Metasploit)
exploitdb·2011-07-09
CVE-2011-5124 Blue Coat Authentication and Authorization Agent (BCAAA) 5 - Remote Buffer Overflow (Metasploit)
Blue Coat Authentication and Authorization Agent (BCAAA) 5 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: bcaaa_bof.rb 13137 2011-07-09 04:10:52Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
which comes as part of the Blue Coat Authentication proxy. Please note that by default,
this exploit will attempt up to three times in order to successfully
Metasploit
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
metasploit
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102), which comes as part of the Blue Coat Authentication proxy. Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution (in some cases, it takes as many as five times). This can cause your activity to look even more suspicious. To modify the number of exploit attempts, set the ATTEMPTS option.
No writeups or analysis indexed.
2012-08-26
Published