cbcvebase.
CVE-2012-6530
published 2013-01-31

CVE-2012-6530: Stack-based buffer overflow in Sysax Multi Server before 5.52, when HTTP is enabled, allows remote authenticated users with the create folder permission to…

PriorityP357high7.1CVSS 2.0
AVNACHAuSCCICAC
EXPLOIT
EPSS
46.07%
98.7th percentile
Stack-based buffer overflow in Sysax Multi Server before 5.52, when HTTP is enabled, allows remote authenticated users with the create folder permission to execute arbitrary code via a crafted request.

Affected

3 ranges
VendorProductVersion rangeFixed in
sysaxmulti_server<= 5.50
sysaxmulti_server
sysaxmulti_server

Detection & IOCsextracted from sources · hover to see the quote

url/scgi?sid=0&pid=dologin
url/scgi?sid=<SID>&pid=mk_folder2_name1.htm
url/scgi?sid=<SID>&pid=mk_folder1_name1.htm
otherCALL ESP kernel32.dll 0x7C8369F0 (Windows XP SP3)
otherCALL ESP kernel32.dll 0x77E5F2DF (Windows Server 2003 SP2)
bytes
\xda\xdc\xd9\x74\x24\xf4\x5f\x2b\xc9\xb8\xb7\x6e\xc5\xe9\xb1\x56
  • Detect exploit HTTP POST to /scgi endpoint with pid=mk_folder2_name1.htm, which is the trigger path for the create folder buffer overflow.
  • Detect HTTP POST to /scgi?sid=0&pid=dologin used by the exploit to harvest a SID token prior to exploitation.
  • Detect multipart/form-data POST to /scgi with form field 'e2' containing an oversized value (>648 bytes), indicative of the buffer overflow payload delivery.
  • Successful exploitation results in SYSTEM/LOCALSYSTEM access; monitor for sysax server process spawning cmd.exe or bind shell on port 4444.
  • The exploit requires a valid 40-byte SID token in the URL query string; alert on /scgi requests where the sid parameter is exactly 40 alphanumeric characters followed by exploit-specific pid values.
  • The exploit uses a base64-encoded credential blob with a 0x0a (newline) delimiter between username and password posted to the login endpoint; detect anomalous base64 POST bodies to /scgi?pid=dologin.
  • ·The vulnerability is only exploitable when the HTTP option is enabled on Sysax Multi Server; deployments with HTTP disabled are not affected.
  • ·Exploitation requires authenticated credentials with the 'create folder' permission; unauthenticated or unprivileged accounts cannot trigger the overflow.
  • ·The ROP/return addresses used in the exploit are specific to Windows XP SP3 and Windows Server 2003 SP1/SP2 without DEP; the exploit does not include a DEP bypass.
  • ·The bad characters for payload encoding are \x00 and \x2F (null byte and forward slash); payloads containing these bytes will be corrupted.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.