cbcvebase.
CVE-2012-4750
published 2020-01-13

CVE-2012-4750: A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.91%
94.6th percentile
A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user execute arbitrary code or cause a Denial of Service

Affected

1 ranges
VendorProductVersion rangeFixed in
ezhometechezserver

Detection & IOCsextracted from sources · hover to see the quote

port1935
commandAMF connect request with size_2=\xff\xff and body string 'connect' (\x63\x6f\x6e\x6e\x65\x63\x74) over RTMP to port 1935
bytes
\xff\xff (AMF size field triggering vulnerability, offset in RTMP connect request body)
bytes
RTMP connect AMF request header: \x03\x00\x00\x00 + size + \x14\x00\x00\x00\x00
  • Detect oversized AMF string size field (0xFFFF) in RTMP connect requests on TCP port 1935 — the 2-byte size field in the AMF body immediately before the 'connect' string should not exceed the actual string length.
  • Monitor for RTMP traffic on TCP port 1935 where the AMF request 'size' field value (2 bytes) is significantly larger than the actual string payload length, indicating a heap corruption attempt via uncontrolled memcpy size.
  • The exploit completes a full RTMP handshake (C0+C1 then C2) before sending the malicious AMF payload — detection should inspect post-handshake RTMP data, not just the initial connection.
  • Look for the specific RTMP chunk header byte sequence \x03\x00\x00\x00 followed by size bytes and \x14\x00\x00\x00\x00 (AMF0 command message type 0x14) on port 1935 as the exploit packet structure.
  • EzServer 7.0 processes AMF requests via RTMP; the vulnerable code path is at .text:00474533 where the size from the AMF request is passed unsanitized to memcpy(). Crash/DoS of the EzServer process (ezserver.exe or equivalent) after RTMP connect activity is a strong indicator of exploitation.
  • ·EzServer version 6.x is NOT vulnerable as it does not implement RTMP support; only version 7.0 is affected. Version 7.1 has RTMP support disabled (but not fully removed), reducing but not eliminating exposure.
  • ·Support for the RTMP protocol appears disabled (but not fully removed) in version 7.1 — deployments still running 7.0 with RTMP enabled on port 1935 remain fully exposed.
  • ·Remote Code Execution has not been demonstrated; the confirmed impact is heap corruption and application crash (DoS). An exploit for RCE had not been developed at time of disclosure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.