cbcvebase.
CVE-2014-0782
published 2014-05-16

CVE-2014-0782: Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and…

PriorityP273high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
56.84%
98.9th percentile
Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet.

Affected

8 ranges
VendorProductVersion rangeFixed in
yokogawab_m9000_vp_software<= 7.03.01
yokogawab_m9000cs_software<= 5.05.01
yokogawacentum_cs_3000< R3.09.50R3.09.50
yokogawacentum_cs_3000_entry_class_software<= 3.09.50
yokogawacentum_cs_3000_software<= 2.23.00
yokogawacentum_vp_entry_class_software<= 5.03.00
yokogawacentum_vp_software<= 4.03.00
yokogawaexaopc<= 3.71.02

Detection & IOCsextracted from sources · hover to see the quote

port34205/TCP
command\x81\xc4\x54\xf2\xff\xff
  • Monitor for inbound TCP connections to port 34205 targeting BKESimmgr.exe; any crafted packet to this port may be an exploitation attempt of CVE-2014-0782.
  • The Metasploit exploit sends a packet with a 1-byte operation identifier (0x01) followed by a 2-byte length field and data; a valid service response is exactly 10 bytes. Anomalous oversized length fields in this protocol are indicative of exploitation.
  • The exploit uses a ROP chain with a stack-adjustment prepend encoder (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff) at the start of shellcode; detect this byte sequence in TCP payloads on port 34205.
  • The exploit targets a return address in libbkebatchepa.dll (0x61d1274f: ADD ESP,10 # RETN) and ROP gadgets in libbkeeda.dll and LibBKCCommon.dll; presence of these DLLs in an exploited process context is a host-based indicator.
  • ·The Metasploit module target offsets and ROP gadget addresses are specific to Yokogawa CS3000 R3.08.50 on Windows XP SP3 / Windows 2003 SP2; different versions or OS patch levels will require different offsets.
  • ·The exploit payload space is constrained to 340 bytes with NOP generation disabled; detection rules should account for compact shellcode without NOP sleds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.