CVE-2013-0726
published 2013-05-05CVE-2013-0726: Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.98%
97.9th percentile
Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to execute arbitrary code via a crafted pathname in an ERS file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hexagon | erdas_er_viewer | <= 11.04 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: 0x22 0x5c 0x7f-0xff 0x00-0x08 0x0a-0x1f
- →Malicious .ERS file contains a crafted 'Name' field inside a 'DatasetHeader Begin' block with a payload-padded pathname of at least 260 bytes followed by a return address. ↗
- →Buffer overflow offset is 260 bytes into the Name field value within the ERS DatasetHeader; monitor for abnormally long Name values in ERS files. ↗
- →Exploit uses ESP-register-based shellcode encoding (BufferRegister => ESP) with a push esp / ret gadget in QtCore4.dll at 0x67097d7a as the return address. ↗
- →Vulnerable function is ERM_convert_to_correct_webpath inside ermapper_u.dll; flag process-level crashes or shellcode execution originating from this DLL when opening .ERS files. ↗
- →Payload space is 7516 bytes; unusually large Name field values in ERS DatasetHeader blocks approaching or exceeding this size are suspicious. ↗
- ·The ROP gadget address (0x67097d7a in QtCore4.dll) is version-specific to ERS Viewer 2011 v11.04 on Windows XP SP3 and Windows 7 SP1; it will differ on other builds or OS patch levels. ↗
- ·The exploit uses 'inc ebx' (0x43) as a NOP substitute to preserve ESP alignment; standard NOP-sled detection may miss this sled. ↗
- ·ExitFunction is set to 'process', meaning the exploit terminates the entire process on exit rather than the thread — post-exploitation forensics should account for abrupt process termination. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities
exploitdb·2013-08-29·CVSS 9.0
CVE-2013-4982 [CRITICAL] AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities
AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
AVTECH DVR multiple vulnerabilities
1. *Advisory Information*
Title: AVTECH DVR multiple vulnerabilities
Advisory ID: CORE-2013-0726
Advisory URL:
http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities
Date published: 2013-08-28
Date of last update: 2013-08-28
Vendors contacted: AVTECH Corporation
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper
Access Control [CWE-284]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982
3. *Vulnerability Description*
Mu
Exploit-DB
ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)
exploitdb·2013-05-14
CVE-2013-0726 ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)
ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "ERS Viewer 2011 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
function ERM_convert_to_correct_webpath handles user provided data in a insecure
way. It results in arbitrary code execution under the context of the user viewing
a specially crafted .ers file. This
Metasploit
ERS Viewer 2011 ERS File Handling Buffer Overflow
metasploit
ERS Viewer 2011 ERS File Handling Buffer Overflow
ERS Viewer 2011 ERS File Handling Buffer Overflow
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the function ERM_convert_to_correct_webpath handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
2013-05-05
Published