cbcvebase.
CVE-2013-0726
published 2013-05-05

CVE-2013-0726: Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.98%
97.9th percentile
Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to execute arbitrary code via a crafted pathname in an ERS file.

Affected

1 ranges
VendorProductVersion rangeFixed in
hexagonerdas_er_viewer<= 11.04

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.ers
filenameermapper_u.dll
other0x67097d7a (push esp # ret 0x08 from QtCore4.dll)
commandNOP sled substitute: 0x43 (inc ebx) repeated
bytes
BadChars: 0x22 0x5c 0x7f-0xff 0x00-0x08 0x0a-0x1f
  • Malicious .ERS file contains a crafted 'Name' field inside a 'DatasetHeader Begin' block with a payload-padded pathname of at least 260 bytes followed by a return address.
  • Buffer overflow offset is 260 bytes into the Name field value within the ERS DatasetHeader; monitor for abnormally long Name values in ERS files.
  • Exploit uses ESP-register-based shellcode encoding (BufferRegister => ESP) with a push esp / ret gadget in QtCore4.dll at 0x67097d7a as the return address.
  • Vulnerable function is ERM_convert_to_correct_webpath inside ermapper_u.dll; flag process-level crashes or shellcode execution originating from this DLL when opening .ERS files.
  • Payload space is 7516 bytes; unusually large Name field values in ERS DatasetHeader blocks approaching or exceeding this size are suspicious.
  • ·The ROP gadget address (0x67097d7a in QtCore4.dll) is version-specific to ERS Viewer 2011 v11.04 on Windows XP SP3 and Windows 7 SP1; it will differ on other builds or OS patch levels.
  • ·The exploit uses 'inc ebx' (0x43) as a NOP substitute to preserve ESP alignment; standard NOP-sled detection may miss this sled.
  • ·ExitFunction is set to 'process', meaning the exploit terminates the entire process on exit rather than the thread — post-exploitation forensics should account for abrupt process termination.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.