CVE-2013-3623
published 2013-12-10CVE-2013-3623: Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.93%
99.4th percentile
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supermicro | intelligent_platform_management_firmware | <= 2.26 | — |
| supermicro | intelligent_platform_management_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /cgi/close_window.cgi with oversized sess_sid parameter (132+ bytes triggers 500 response)↗
- →Exploit payload is delivered via the HTTP User-Agent header; monitor for anomalously long or binary-containing User-Agent strings in POST requests to /cgi/close_window.cgi on IPMI management interfaces (port 80/443). ↗
- →A POST to /cgi/close_window.cgi with a safe-length sess_sid (20 bytes) returns HTTP 200 with body containing 'Can't find action' on vulnerable targets — use this two-stage probe pattern to fingerprint vulnerable IPMI controllers. ↗
- →The exploit uses a ret2system ROP chain targeting libcrypto.so.0.9.8 base 0x40074000 and libc-2.3.5.so base 0x40554000 on ARM; presence of these fixed base addresses in memory forensics or crash dumps indicates exploitation of this specific firmware version. ↗
- →Scan for Supermicro IPMI controllers exposing /cgi/close_window.cgi and /cgi/login.cgi unauthenticated on HTTP/HTTPS; both endpoints are known vulnerable to unauthenticated buffer overflows. ↗
- →The exploit payload bad characters are 0x00–0x1f; any POST body or User-Agent to /cgi/close_window.cgi containing a long string of printable ASCII (no control chars) followed by ARM ROP gadget bytes is a strong exploit indicator. ↗
- ·The ROP gadget offsets and libc/libcrypto base addresses are specific to firmware version SMT_X9_214 (X9SCL/X9SCM); the exploit will not work as-is against firmware SMT_X9_315 or other X9 variants without re-deriving offsets. ↗
- ·An additional environment variable 'HTTPS=on' is present when SSL is in use, shifting the ROP offset by 4 bytes (204 vs 208); detection rules based on payload length must account for both SSL and non-SSL variants. ↗
- ·Firmware version 3.15 (SMT_X9_315) and later patches the vulnerability; devices running earlier firmware on X9 generation motherboards remain vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)
exploitdb·2013-11-18
CVE-2013-3623 Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)
Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Supermicro Onboard IPMI close_window.cgi Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web
interface. The vulnerability exists on the close_window.cgi CGI application, and is due
to the insecure usage of strcpy. In order to get a session, the module will execute
system() from libc with an arbitrary CMD payload sent on the User-Agent header. This
module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
SMT_X9_214.
},
'Author'
Metasploit
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
metasploit
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web interface. The vulnerability exists on the close_window.cgi CGI application, and is due to the insecure usage of strcpy. In order to get a session, the module will execute system() from libc with an arbitrary CMD payload sent on the User-Agent header. This module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.
Metasploit
Supermicro Onboard IPMI CGI Vulnerability Scanner
metasploit
Supermicro Onboard IPMI CGI Vulnerability Scanner
Supermicro Onboard IPMI CGI Vulnerability Scanner
This module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/29666http://www.securityfocus.com/bid/63775http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdfhttp://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilitieshttps://support.citrix.com/article/CTX216642http://www.exploit-db.com/exploits/29666http://www.securityfocus.com/bid/63775http://www.supermicro.com/products/nfo/files/IPMI/CVE_Update.pdfhttp://www.thomas-krenn.com/en/wiki/Supermicro_IPMI_Security_Updates_November_2013https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilitieshttps://support.citrix.com/article/CTX216642
2013-12-10
Published