CVE-2014-0782
published 2014-05-16CVE-2014-0782: Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and…
PriorityP273high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
56.84%
98.9th percentile
Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yokogawa | b_m9000_vp_software | <= 7.03.01 | — |
| yokogawa | b_m9000cs_software | <= 5.05.01 | — |
| yokogawa | centum_cs_3000 | < R3.09.50 | R3.09.50 |
| yokogawa | centum_cs_3000_entry_class_software | <= 3.09.50 | — |
| yokogawa | centum_cs_3000_software | <= 2.23.00 | — |
| yokogawa | centum_vp_entry_class_software | <= 5.03.00 | — |
| yokogawa | centum_vp_software | <= 4.03.00 | — |
| yokogawa | exaopc | <= 3.71.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TCP connections to port 34205 targeting BKESimmgr.exe; any crafted packet to this port may be an exploitation attempt of CVE-2014-0782. ↗
- →The Metasploit exploit sends a packet with a 1-byte operation identifier (0x01) followed by a 2-byte length field and data; a valid service response is exactly 10 bytes. Anomalous oversized length fields in this protocol are indicative of exploitation. ↗
- →The exploit uses a ROP chain with a stack-adjustment prepend encoder (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff) at the start of shellcode; detect this byte sequence in TCP payloads on port 34205. ↗
- →The exploit targets a return address in libbkebatchepa.dll (0x61d1274f: ADD ESP,10 # RETN) and ROP gadgets in libbkeeda.dll and LibBKCCommon.dll; presence of these DLLs in an exploited process context is a host-based indicator. ↗
- ·The Metasploit module target offsets and ROP gadget addresses are specific to Yokogawa CS3000 R3.08.50 on Windows XP SP3 / Windows 2003 SP2; different versions or OS patch levels will require different offsets. ↗
- ·The exploit payload space is constrained to 340 bytes with NOP generation disabled; detection rules should account for compact shellcode without NOP sleds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Yokogawa Multiple Products Vulnerabilities
cisa_ics·2018-09-06
Yokogawa Multiple Products Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa Multiple Products Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-133-01
## OVERVIEW
Yokogawa reports that several buffer overflow vulnerabilities affect several of its products. Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed May 13, 2014. and independent researcher Julian Vilas Diaz reported to CERT/CC that they identified several vulnerabilities for the Yokogawa CENTUM CS 3000 application. In the investigation of this report, Yokogawa found other products that could also be affected. Please see the affected prod
CISA ICS
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
cisa_ics·2014-03-11
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-070-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-14-070-01 Yokogawa CENTUM CS 3000 Vulnerabilities that was published March 11, 2014, on the NCCIC/ICS-CERT web site.
Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed March 11, 2014. and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM
GHSA
GHSA-fhrf-qc9p-xhrg: Stack-based buffer overflow in BKESimmgr
ghsa_unreviewed·2022-05-17
CVE-2014-0782 [HIGH] CWE-119 GHSA-fhrf-qc9p-xhrg: Stack-based buffer overflow in BKESimmgr
Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet.
No detection rules found.
Exploit-DB
Yokogawa CS3000 - 'BKESimmgr.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2014-05-12
CVE-2014-0782 Yokogawa CS3000 - 'BKESimmgr.exe' Remote Buffer Overflow (Metasploit)
Yokogawa CS3000 - 'BKESimmgr.exe' Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',
'Description' => %q{
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
exists in the BKESimmgr.exe service when handling specially crafted packets, due to an
insecure usage of memcpy, using attacker controlled data as the size count. This module
has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows
2003 SP2.
},
'Author' =>
[
'juan vazquez',
'Redsadic '
],
'References' =>
[
['CVE', '2014-0782'],
['URL', 'https://community.
Metasploit
Yokogawa CS3000 BKESimmgr.exe Buffer Overflow
metasploit
Yokogawa CS3000 BKESimmgr.exe Buffer Overflow
Yokogawa CS3000 BKESimmgr.exe Buffer Overflow
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the BKESimmgr.exe service when handling specially crafted packets, due to an insecure usage of memcpy, using attacker controlled data as the size count. This module has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows 2003 SP2.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/66130http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm.https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilitieshttps://www.cisa.gov/news-events/ics-advisories/icsa-14-070-01ahttp://ics-cert.us-cert.gov/advisories/ICSA-14-133-01http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
2014-05-16
Published