cbcvebase.
CVE-2012-3815
published 2012-06-27

CVE-2012-3815: Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.34%
98.6th percentile
Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 46824. NOTE: some of these details are obtained from third party information.

Affected

56 ranges· showing 25
VendorProductVersion rangeFixed in
sielcosistemiwinlog_lite<= 2.07.14
sielcosistemiwinlog_lite<= 2.07.16
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite
sielcosistemiwinlog_lite

Detection & IOCsextracted from sources · hover to see the quote

port46824/tcp
processRunTime.exe
bytes
\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14
  • Alert on TCP connections to port 46824 carrying oversized packets (>= 2000 bytes of random alpha data followed by a second packet containing 0x14 repeated 10 times) targeting the RunTime.exe SCADA service.
  • Detect the two-stage exploit pattern: a first TCP packet of ~2000+ bytes (shellcode/egg placement) followed immediately by a second packet containing the byte sequence 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 as the crash trigger on port 46824.
  • Monitor for egghunter shellcode patterns in TCP payloads on port 46824, as the exploit uses a two-stage egghunter technique to locate and execute the payload.
  • Flag any process spawned by RunTime.exe on Windows SCADA hosts, as successful exploitation results in arbitrary code execution under the RunTime.exe process context.
  • ·The Metasploit module targets versions 2.07.14–2.07.16; the NVD advisory states the vulnerability is fixed in 2.07.18, so versions 2.07.17 may also be affected but are not covered by the public exploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.