CVE-2012-4750
published 2020-01-13CVE-2012-4750: A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.91%
94.6th percentile
A Code Execution vulnerability exists in the memcpy function when processing AMF requests in Ezhometech EzServer 7.0, which could let a remote malicious user execute arbitrary code or cause a Denial of Service
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ezhometech | ezserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandAMF connect request with size_2=\xff\xff and body string 'connect' (\x63\x6f\x6e\x6e\x65\x63\x74) over RTMP to port 1935↗
bytes↗
\xff\xff (AMF size field triggering vulnerability, offset in RTMP connect request body)
bytes↗
RTMP connect AMF request header: \x03\x00\x00\x00 + size + \x14\x00\x00\x00\x00
- →Detect oversized AMF string size field (0xFFFF) in RTMP connect requests on TCP port 1935 — the 2-byte size field in the AMF body immediately before the 'connect' string should not exceed the actual string length. ↗
- →Monitor for RTMP traffic on TCP port 1935 where the AMF request 'size' field value (2 bytes) is significantly larger than the actual string payload length, indicating a heap corruption attempt via uncontrolled memcpy size. ↗
- →The exploit completes a full RTMP handshake (C0+C1 then C2) before sending the malicious AMF payload — detection should inspect post-handshake RTMP data, not just the initial connection. ↗
- →Look for the specific RTMP chunk header byte sequence \x03\x00\x00\x00 followed by size bytes and \x14\x00\x00\x00\x00 (AMF0 command message type 0x14) on port 1935 as the exploit packet structure. ↗
- →EzServer 7.0 processes AMF requests via RTMP; the vulnerable code path is at .text:00474533 where the size from the AMF request is passed unsanitized to memcpy(). Crash/DoS of the EzServer process (ezserver.exe or equivalent) after RTMP connect activity is a strong indicator of exploitation. ↗
- ·EzServer version 6.x is NOT vulnerable as it does not implement RTMP support; only version 7.0 is affected. Version 7.1 has RTMP support disabled (but not fully removed), reducing but not eliminating exposure. ↗
- ·Support for the RTMP protocol appears disabled (but not fully removed) in version 7.1 — deployments still running 7.0 with RTMP enabled on port 1935 remain fully exposed. ↗
- ·Remote Code Execution has not been demonstrated; the confirmed impact is heap corruption and application crash (DoS). An exploit for RCE had not been developed at time of disclosure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/79267https://packetstormsecurity.com/files/117391/Ezhometech-EzServer-7.0-Remote-Heap-Corruption.htmlhttps://www.securityfocus.com/archive/1/524430https://www.securityfocus.com/bid/55938https://exchange.xforce.ibmcloud.com/vulnerabilities/79267https://packetstormsecurity.com/files/117391/Ezhometech-EzServer-7.0-Remote-Heap-Corruption.htmlhttps://www.securityfocus.com/archive/1/524430https://www.securityfocus.com/bid/55938
2020-01-13
Published