CVE-2012-4711
published 2013-02-15CVE-2012-4711: Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingView 6.52, kingMess.exe 65.20.2003.10400 in KingView 6.53, and kingMess.exe 65.50.2011.18049…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.49%
99.1th percentile
Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingView 6.52, kingMess.exe 65.20.2003.10400 in KingView 6.53, and kingMess.exe 65.50.2011.18049 in KingView 6.55 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted packet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xdd\x07\x03\x00\x03\x00\x0d\x00\x0c\x00\x31\x00\x38\x00\xd4\x01
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →The exploit targets KingMess.exe via a malformed .kvl (log) file opened through the 'Browse Log Files' option; monitor for KingMess.exe opening .kvl files from untrusted/network locations. ↗
- →The exploit payload uses a stack adjustment prepend encoder (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff); scan for this byte sequence at the start of shellcode in .kvl files or network traffic. ↗
- →The exploit uses a fixed ROP/return address 0x77c35459 (push esp; ret in msvcrt.dll on Windows XP SP3); presence of this address in memory or file content associated with KingMess.exe is a strong indicator of exploitation. ↗
- →The malicious .kvl file starts with a version string '6.00' padded to 0x90 bytes, followed by a fixed 16-byte entry header; this structure can be used as a file-based detection signature. ↗
- →The vulnerability is triggered remotely via a specially crafted packet to KingView/KingMess; monitor network traffic to KingView-associated ports for anomalous or oversized packets targeting KingMess.exe. ↗
- →Bad characters for the payload are null byte, LF, and CR (\x00\x0a\x0d); these are excluded from shellcode, which can help tune IDS signatures to avoid false negatives on encoded payloads. ↗
- ·The Metasploit module's ROP gadget (0x77c35459 in msvcrt.dll) and offset (295) are specific to Windows XP SP3; exploitation on other OS versions would require different offsets/return addresses. ↗
- ·The exploit payload space is limited to 1408 bytes with NOP generation disabled; payloads larger than this will not fit and the exploit will fail, which may affect detection of non-Metasploit variants. ↗
- ·The EXITFUNC is set to 'process', meaning successful exploitation will terminate the KingMess.exe process after payload execution; unexpected KingMess.exe crashes may indicate exploitation attempts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fg48-5fcg-jjv7: Buffer overflow in kingMess
ghsa_unreviewed·2022-05-17
CVE-2012-4711 [HIGH] CWE-119 GHSA-fg48-5fcg-jjv7: Buffer overflow in kingMess
Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingView 6.52, kingMess.exe 65.20.2003.10400 in KingView 6.53, and kingMess.exe 65.50.2011.18049 in KingView 6.55 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted packet.
CISA ICS
WellinTech KingView KingMess Buffer Overflow (Update A)
cisa_ics·2013-02-12
WellinTech KingView KingMess Buffer Overflow (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
WellinTech KingView KingMess Buffer Overflow (Update A)
Last RevisedMay 08, 2013
Alert CodeICSA-13-043-02A
## Overview
This updated advisory is a follow-up to the original advisory titled ICSA-13-043-02—WellinTech KingView KingMess Buffer Overflow that was published February 12, 2013, on the ICS-CERT Web page.
This updated advisory provides mitigation details for a vulnerability that impacts the WellinTech KingView KingMess application.
Researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified a buffer overflow vulnerability in WellinTech’s KingView Ki
No detection rules found.
Exploit-DB
KingView - Log File Parsing Buffer Overflow (Metasploit)
exploitdb·2013-03-25
CVE-2012-4711 KingView - Log File Parsing Buffer Overflow (Metasploit)
KingView - Log File Parsing Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "KingView Log File Parsing Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in KingView MSF_LICENSE,
'Author' =>
[
'Lucas Apa', # Vulnerability discovery
'Carlos Mario Penagos Hollman', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-4711'],
['OSVDB', '89690'],
['BID', '57909'],
['URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf']
],
'Payload' =>
{
'
Metasploit
KingView Log File Parsing Buffer Overflow
metasploit
KingView Log File Parsing Buffer Overflow
KingView Log File Parsing Buffer Overflow
This module exploits a vulnerability found in KingView <= 6.55. It exists in the KingMess.exe application when handling log files, due to the insecure usage of sprintf. This module uses a malformed .kvl file which must be opened by the victim via the KingMess.exe application, through the 'Browse Log Files' option. The module has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over Windows XP SP3.
No writeups or analysis indexed.
2013-02-15
Published