CVE-2013-3928
published 2014-03-11CVE-2013-3928: Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in Chasys Draw IES before 4.11.02 allows remote attackers to execute arbitrary code via…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.33%
98.3th percentile
Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in Chasys Draw IES before 4.11.02 allows remote attackers to execute arbitrary code via crafted biPlanes and biBitCount fields in a BMP file.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jpchacha | chasys_draw_ies | <= 4.10.01 | — |
| jpchacha | chasys_draw_ies | — | — |
| jpchacha | chasys_draw_ies | — | — |
| jpchacha | chasys_draw_ies | — | — |
| jpchacha | chasys_draw_ies | — | — |
| jpchacha | chasys_draw_ies | — | — |
| jpchacha | chasys_draw_ies | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted BMP files targeting CVE-2013-3928 by inspecting biPlanes and biBitCount fields in the BMP DIB header for anomalous values that would cause a stack-based buffer overflow in flt_BMP.dll's ReadFile function. ↗
- →The exploit uses a fixed offset of 65536 bytes of padding before the return address overwrite; BMP files with pixel data regions of exactly 65536 bytes of random/NOP-sled content followed by a return address should be treated as suspicious. ↗
- →The ROP/JMP gadget used in the public exploit is at address 0x10005fd3 (jmp esp) inside flt_BMP.dll v4.10.1.0; memory forensics or crash dumps showing EIP/RIP set to this value indicate exploitation of this CVE. ↗
- →Payload space available on the stack is up to 21112 bytes; shellcode embedded in BMP files of this size range delivered to Chasys Draw IES should be flagged. ↗
- ·The public Metasploit module and its ROP gadget address (0x10005fd3) were tested only against Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1; the gadget offset will differ on other builds or OS versions. ↗
- ·The vulnerability is fixed in Chasys Draw IES 4.11.02 and later; detections targeting flt_BMP.dll should verify the DLL version is 4.10.1.0 or earlier before alerting. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Chasys Draw IES - Local Buffer Overflow (Metasploit)
exploitdb·2013-08-15
CVE-2013-3928 Chasys Draw IES - Local Buffer Overflow (Metasploit)
Chasys Draw IES - Local Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Chasys Draw IES Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in Chasys Draw IES
(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
parsing BMP files, where the ReadFile function is used to store user provided data
on the stack in a insecure way. It results in arbitrary code execution under the
context of the user viewing a specially crafted BMP file. This module h
Metasploit
Chasys Draw IES Buffer Overflow
metasploit
Chasys Draw IES Buffer Overflow
Chasys Draw IES Buffer Overflow
This module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on the stack in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.htmlhttp://packetstormsecurity.com/files/122810/Chasys-Draw-IES-Buffer-Overflow.htmlhttp://secunia.com/advisories/53773http://www.exploit-db.com/exploits/27609http://www.jpchacha.com/chasysdraw/help.php?file=history.htmhttp://www.securityfocus.com/bid/61463https://docs.google.com/file/d/0BzyiGAtMizMtSFF4ZWVCMHNVVGs/edit?usp=sharinghttps://exchange.xforce.ibmcloud.com/vulnerabilities/86035http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.htmlhttp://packetstormsecurity.com/files/122810/Chasys-Draw-IES-Buffer-Overflow.htmlhttp://secunia.com/advisories/53773http://www.exploit-db.com/exploits/27609http://www.jpchacha.com/chasysdraw/help.php?file=history.htmhttp://www.securityfocus.com/bid/61463https://docs.google.com/file/d/0BzyiGAtMizMtSFF4ZWVCMHNVVGs/edit?usp=sharinghttps://exchange.xforce.ibmcloud.com/vulnerabilities/86035
2014-03-11
Published