cbcvebase.
CVE-2013-3928
published 2014-03-11

CVE-2013-3928: Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in Chasys Draw IES before 4.11.02 allows remote attackers to execute arbitrary code via…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.33%
98.3th percentile
Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in Chasys Draw IES before 4.11.02 allows remote attackers to execute arbitrary code via crafted biPlanes and biBitCount fields in a BMP file.

Affected

7 ranges
VendorProductVersion rangeFixed in
jpchachachasys_draw_ies<= 4.10.01
jpchachachasys_draw_ies
jpchachachasys_draw_ies
jpchachachasys_draw_ies
jpchachachasys_draw_ies
jpchachachasys_draw_ies
jpchachachasys_draw_ies

Detection & IOCsextracted from sources · hover to see the quote

filenameflt_BMP.dll
registry0x10005fd3
  • Detect crafted BMP files targeting CVE-2013-3928 by inspecting biPlanes and biBitCount fields in the BMP DIB header for anomalous values that would cause a stack-based buffer overflow in flt_BMP.dll's ReadFile function.
  • The exploit uses a fixed offset of 65536 bytes of padding before the return address overwrite; BMP files with pixel data regions of exactly 65536 bytes of random/NOP-sled content followed by a return address should be treated as suspicious.
  • The ROP/JMP gadget used in the public exploit is at address 0x10005fd3 (jmp esp) inside flt_BMP.dll v4.10.1.0; memory forensics or crash dumps showing EIP/RIP set to this value indicate exploitation of this CVE.
  • Payload space available on the stack is up to 21112 bytes; shellcode embedded in BMP files of this size range delivered to Chasys Draw IES should be flagged.
  • ·The public Metasploit module and its ROP gadget address (0x10005fd3) were tested only against Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1; the gadget offset will differ on other builds or OS versions.
  • ·The vulnerability is fixed in Chasys Draw IES 4.11.02 and later; detections targeting flt_BMP.dll should verify the DLL version is 4.10.1.0 or earlier before alerting.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.