CVE-2011-5227
published 2012-10-25CVE-2011-5227: Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.95%
99.5th percentile
Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enterasys | netsight | <= 4.1.0.79 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Monitor for oversized/malformed syslog messages with an abnormally long PRIO field (the bracketed priority value at the start of a syslog packet) sent to UDP port 514, targeting nssyslogd.exe on Enterasys NetSight systems. ↗
- →Detect the stack-adjustment prepend encoder byte sequence 0x81 0xC4 0x54 0xF2 0xFF 0xFF (ADD ESP, -3500) in UDP/514 payloads as a strong indicator of exploit delivery against this vulnerability. ↗
- →The exploit offsets the buffer by 43 bytes before the return address; UDP syslog packets to port 514 with payload structure matching this pattern (43-byte junk + ROP chain) should be flagged. ↗
- →The exploit targets nssyslogd.exe on Windows XP SP3 and Windows 2003 SP2; alert on unexpected child processes or shellcode execution spawned from nssyslogd.exe. ↗
- ·The exploit payload length is adjusted dynamically based on the source IP address length of the attacker, meaning the exact offset in captured traffic will vary by 1–15 bytes depending on source IP. ↗
- ·The null byte (0x00) is a bad character for the payload; detection signatures should account for the fact that shellcode will be encoded to avoid null bytes. ↗
- ·The ROP gadget addresses differ between Windows XP SP3 (0x77c4e444) and Windows 2003 SP2 (0x77bdf444), both sourced from msvcrt.dll; detection rules relying on static ROP addresses must account for both targets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2013-01-04
CVE-2011-5227 Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
Enterasys NetSight - 'nssyslogd.exe' Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Enterasys NetSight nssyslogd.exe Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Enterasys NetSight. The
vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially
crafted PRIO from a syslog message. The module has been tested successfully on
Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.
},
'Author' =>
[
'Jeremy Brown', # Vulnerability discovery
'rgod ', #
Metasploit
Enterasys NetSight nssyslogd.exe Buffer Overflow
metasploit
Enterasys NetSight nssyslogd.exe Buffer Overflow
Enterasys NetSight nssyslogd.exe Buffer Overflow
This module exploits a stack buffer overflow in Enterasys NetSight. The vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially crafted PRIO from a syslog message. The module has been tested successfully on Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.
No writeups or analysis indexed.
http://secunia.com/advisories/47263http://www.securitytracker.com/id?1026440http://www.zerodayinitiative.com/advisories/ZDI-11-350/https://cp-enterasys.kb.net/display/4n/kb/article.aspx?aid=14206&n=3&tab=search&bt=4n&s=https://cp-enterasys.kb.net/utility/downloadArticle.aspx?aid=14206https://exchange.xforce.ibmcloud.com/vulnerabilities/71889http://secunia.com/advisories/47263http://www.securitytracker.com/id?1026440http://www.zerodayinitiative.com/advisories/ZDI-11-350/https://cp-enterasys.kb.net/display/4n/kb/article.aspx?aid=14206&n=3&tab=search&bt=4n&s=https://cp-enterasys.kb.net/utility/downloadArticle.aspx?aid=14206https://exchange.xforce.ibmcloud.com/vulnerabilities/71889
2012-10-25
Published