CVE-2012-1830
published 2012-07-05CVE-2012-1830: Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.65%
93.8th percentile
Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingview | <= 6.53 | — |
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandexploit = ("\x90"*1024) + ("A"*23976) + ("B"*12500) + ("D"*6250) + ("E"*6002) + ("\x44\x43\x42\x41") + ("\x90"*256)↗
bytes↗
\x44\x43\x42\x41
- →Monitor for large TCP connections to port 555 targeting KingView; the exploit sends a payload of ~50,000+ bytes including a leading NOP sled (\x90*1024) followed by large repeated-byte blocks, characteristic of a stack-based buffer overflow attempt. ↗
- →EIP overwrite value 0x41424344 ('ABCD') observed in crash analysis; network payloads containing this byte sequence (\x44\x43\x42\x41 in little-endian) sent to TCP/555 are indicative of exploit attempts against KingView 6.53. ↗
- →KingView acts as a Login Server on TCP/555 only when configured as 'Local is a Login Server' under network parameters; detection should focus on this port being open/reachable on KingView hosts. ↗
- ·TCP port 555 is only exposed when KingView is explicitly configured as a Login Server ('Local is a Login Server' node type). The attack surface is conditional on this configuration being active. ↗
- ·The exploit was tested on Windows SP1; behavior on other Windows versions may differ. Detection rules should account for the specific OS environment of deployed KingView 6.53 instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
WellinTech KingView Multiple Vulnerabilities
cisa_ics·2014-09-02
WellinTech KingView Multiple Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
WellinTech KingView Multiple Vulnerabilities
Last RevisedSeptember 02, 2014
Alert CodeICSA-12-185-01
## Overview
Independent researchers Carlos Mario Penagos Hollman and Dillon Beresford identified multiple vulnerabilities in WellinTech’s KingView and a single vulnerability in WellinTech’s KingHistorian application. These vulnerabilities are exploitable remotely. WellinTech has created a patch and the researchers have validated that the patch resolves these vulnerabilities in the KingView and KingHistorian applications.
## Affected Products
The following products and versions
GHSA
GHSA-85v9-xccv-2c8g: Stack-based buffer overflow in WellinTech KingView 6
ghsa_unreviewed·2022-05-17
CVE-2012-1830 [HIGH] CWE-119 GHSA-85v9-xccv-2c8g: Stack-based buffer overflow in WellinTech KingView 6
Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
No detection rules found.
No writeups or analysis indexed.
2012-07-05
Published