cbcvebase.
CVE-2011-5227
published 2012-10-25

CVE-2011-5227: Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to…

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.95%
99.5th percentile
Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.

Affected

1 ranges
VendorProductVersion rangeFixed in
enterasysnetsight<= 4.1.0.79

Detection & IOCsextracted from sources · hover to see the quote

processnssyslogd.exe
portUDP/514
other0x77c4e444 (ADD ESP,30 # POP EDX # RETN # from msvcrt, Windows XP SP3)
other0x77bdf444 (ADD ESP,30 # POP EDX # RETN # from msvcrt, Windows 2003 SP2)
bytes
\x81\xc4\x54\xf2\xff\xff
  • Monitor for oversized/malformed syslog messages with an abnormally long PRIO field (the bracketed priority value at the start of a syslog packet) sent to UDP port 514, targeting nssyslogd.exe on Enterasys NetSight systems.
  • Detect the stack-adjustment prepend encoder byte sequence 0x81 0xC4 0x54 0xF2 0xFF 0xFF (ADD ESP, -3500) in UDP/514 payloads as a strong indicator of exploit delivery against this vulnerability.
  • The exploit offsets the buffer by 43 bytes before the return address; UDP syslog packets to port 514 with payload structure matching this pattern (43-byte junk + ROP chain) should be flagged.
  • The exploit targets nssyslogd.exe on Windows XP SP3 and Windows 2003 SP2; alert on unexpected child processes or shellcode execution spawned from nssyslogd.exe.
  • ·The exploit payload length is adjusted dynamically based on the source IP address length of the attacker, meaning the exact offset in captured traffic will vary by 1–15 bytes depending on source IP.
  • ·The null byte (0x00) is a bad character for the payload; detection signatures should account for the fact that shellcode will be encoded to avoid null bytes.
  • ·The ROP gadget addresses differ between Windows XP SP3 (0x77c4e444) and Windows 2003 SP2 (0x77bdf444), both sourced from msvcrt.dll; detection rules relying on static ROP addresses must account for both targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.