CVE-2012-1465
published 2012-03-19CVE-2012-1465: Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4.6.1 allows remote attackers to cause a denial of service (application…
PriorityP338medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
27.40%
97.8th percentile
Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4.6.1 allows remote attackers to cause a denial of service (application crash) via a long URL in an HTTP request. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netmechanica | netdecision | <= 4.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching the HTTP Server banner 'NetDecision-HTTP-Server/1.0' in server responses, which the Metasploit module uses to fingerprint vulnerable targets. ↗
- →Alert on HTTP GET requests with URLs exceeding ~1276 bytes directed at port 80, which is the minimum payload length used in the DoS proof-of-concept. ↗
- →The Metasploit exploit uses an SEH-based overflow with an offset of 1620 bytes and a POP/POP/RET gadget from OLEACC.dll (0x74C869E2); monitor for abnormally long GET request URIs against NetDecision HTTP service. ↗
- →The directory traversal companion vulnerability uses '...\' sequences in the path against TrafficGrapherServer.exe; monitor HTTP requests containing '...\' path components on NetDecision hosts. ↗
- ·Remote code execution via the buffer overflow requires the victim to have HttpSvr's window actively focused/visible; without this condition only a DoS crash is achievable. ↗
- ·The ROP/SEH return address (0x74C869E2 in OLEACC.dll) is specific to NetDecision 4.5.1 on Windows XP SP3; it will not be reliable on other OS/patch levels. ↗
- ·The exploit payload must avoid the listed bad characters; payloads containing these bytes will be corrupted and fail. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-764x-f594-rv3g: Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4
ghsa_unreviewed·2022-05-17
CVE-2012-1465 [MEDIUM] CWE-119 GHSA-764x-f594-rv3g: Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4
Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4.6.1 allows remote attackers to cause a denial of service (application crash) via a long URL in an HTTP request. NOTE: some of these details are obtained from third party information.
Red Hat
kernel: cifs: signedness issue in CIFSFindNext()
vendor_redhat·2011-08-23·CVSS 8.8
CVE-2011-3191 [HIGH] kernel: cifs: signedness issue in CIFSFindNext()
kernel: cifs: signedness issue in CIFSFindNext()
Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote CIFS servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large length value in a response to a read request for a directory.
Statement: This issue affects the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG. It has been addressed in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1386.html, https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, ht
Red Hat
kernel: net: improve sequence number generation
vendor_redhat·2011-08-07·CVSS 9.1
CVE-2011-3188 [CRITICAL] kernel: net: improve sequence number generation
kernel: net: improve sequence number generation
The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.
Statement: This issue affects the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG. It has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1386.html, https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html. Red Hat Enterprise Linux 4 is now in
Red Hat
kernel: taskstats io infoleak
vendor_redhat·2011-06-21·CVSS 2.1
CVE-2011-2494 [LOW] kernel: taskstats io infoleak
kernel: taskstats io infoleak
kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not provide support for the Taskstats interface. This has been addressed in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1479.html, https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
Package: kernel (Red Hat Enterprise Linux 4) - Not affected
Red Hat
kernel: b43: allocate receive buffers big enough for max frame len + offset
vendor_redhat·2011-03-27·CVSS 7.5
CVE-2011-3359 [HIGH] kernel: b43: allocate receive buffers big enough for max frame len + offset
kernel: b43: allocate receive buffers big enough for max frame len + offset
The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service (system crash) via a crafted frame.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red
Hat Enterprise Linux 4 and 5 as they did not provide support for Broadcom 43xx wireless devices. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
Package: kernel (Red Hat Enterprise Linux 4) - Not affected
Package: kernel (Red Hat Enterprise Linux 5) - Not affe
Red Hat
kernel: wrong headroom check in udp6_ufo_fragment()
vendor_redhat·2011-03-03·CVSS 7.1
CVE-2011-4326 [HIGH] CWE-119 kernel: wrong headroom check in udp6_ufo_fragment()
kernel: wrong headroom check in udp6_ufo_fragment()
The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 4 and 5 as they did not provide support for UDP Fragmentation Offload (UFO) functionality. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1465.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
Package: kernel (Red Hat Enterprise Linux 4) - Not affected
Package: ke
No detection rules found.
Exploit-DB
Netmechanica NetDecision HTTP Server 4.5.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2012-03-15
CVE-2012-1465 Netmechanica NetDecision HTTP Server 4.5.1 - Remote Buffer Overflow (Metasploit)
Netmechanica NetDecision HTTP Server 4.5.1 - Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "NetDecision 4.5.1 HTTP Server Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in NetDecision's HTTP service
(located in C:\Program Files\NetDecision\Bin\HttpSvr.exe). By supplying a
long string of data to the URL, an overflow may occur if the data gets handled
by HTTP Server's active window. In other words, in order to gain remote code
execution, the victim is probably looking at
Exploit-DB
Netmechanica NetDecision HTTP Server - Denial of Service
exploitdb·2012-02-29
CVE-2012-1465 Netmechanica NetDecision HTTP Server - Denial of Service
Netmechanica NetDecision HTTP Server - Denial of Service
---
##############################################################################
#
# Title : Netmechanica NetDecision HTTP Server Denial Of Service
# Vulnerability
# Author : Prabhu S Angadi SecPod Technologies (www.secpod.com)
# Vendor : http://www.netmechanica.com
# Advisory : http://secpod.org/blog/?p=484
# http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt
# http://secpod.org/exploits/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_PoC.py
# Software : Netmechanica NetDecision HTTP Server version 4.5.1
# Date : 05/12/2011
#
###############################################################################
SecPod ID: 1040 05/12/2011 Issue Discovered
21/02/2012 Vendor Notified
22/02/2012 Vendor A
Metasploit
NetDecision 4.5.1 HTTP Server Buffer Overflow
metasploit
NetDecision 4.5.1 HTTP Server Buffer Overflow
NetDecision 4.5.1 HTTP Server Buffer Overflow
This module exploits a vulnerability found in NetDecision's HTTP service (located in C:\Program Files\NetDecision\Bin\HttpSvr.exe). By supplying a long string of data to the URL, an overflow may occur if the data gets handled by HTTP Server's active window. In other words, in order to gain remote code execution, the victim is probably looking at HttpSvr's window.
Metasploit
NetDecision NOCVision Server Directory Traversal
metasploit
NetDecision NOCVision Server Directory Traversal
NetDecision NOCVision Server Directory Traversal
This module exploits a directory traversal bug in NetDecision's TrafficGrapherServer.exe service. This is done by using "...\" in the path to retrieve a file on a vulnerable machine.
No writeups or analysis indexed.
http://osvdb.org/79651http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txthttp://secpod.org/blog/?p=484http://secunia.com/advisories/48168http://www.exploit-db.com/exploits/18541http://www.netmechanica.com/news/?news_id=26http://www.securityfocus.com/bid/52194http://www.securityfocus.com/bid/52208https://exchange.xforce.ibmcloud.com/vulnerabilities/73528http://osvdb.org/79651http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txthttp://secpod.org/blog/?p=484http://secunia.com/advisories/48168http://www.exploit-db.com/exploits/18541http://www.netmechanica.com/news/?news_id=26http://www.securityfocus.com/bid/52194http://www.securityfocus.com/bid/52208https://exchange.xforce.ibmcloud.com/vulnerabilities/73528
2012-03-19
Published