cbcvebase.
CVE-2012-4705
published 2013-02-24

CVE-2012-4705: Directory traversal vulnerability in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors involving a…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.67%
99.2th percentile
Directory traversal vulnerability in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors involving a crafted pathname.

Affected

17 ranges
VendorProductVersion rangeFixed in
3s-softwarecodesys_gateway-server<= 2.3.9.20
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server
3s-softwarecodesys_gateway-server

Detection & IOCsextracted from sources · hover to see the quote

portTCP/1211
port1211
commandopcode = [6].pack('L')
pathWINDOWS\system32\wbem\mof\
pathwindows\system32\
filename*.mof
filename*.exe
bytes
\xdd\xdd
  • Alert on creation of .mof files in WINDOWS\system32\wbem\mof\ on hosts running CoDeSys Gateway-Server, as this is the second-stage execution mechanism used by the exploit.
  • Monitor for opcode value 6 (0x06000000 little-endian) in CoDeSys Gateway-Server TCP/1211 packets, which is the file-upload opcode used by the exploit.
  • A publicly available Metasploit module exploits this vulnerability; correlate IDS alerts on TCP/1211 with Metasploit framework indicators.
  • ·The exploit packet size field is dynamically calculated based on the uploaded file size and traversal path length; static size-based signatures may miss variants with different payload sizes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.