CVE-2014-0783
published 2014-03-14CVE-2014-0783: Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP…
PriorityP274critical9CVSS 2.0
AVNACLAuNCPIPAC
EXPLOIT
EPSS
68.36%
99.2th percentile
Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yokogawa | centum_cs_3000 | < R3.09.50 | R3.09.50 |
| yokogawa | centum_cs_3000 | <= r3.09.50 | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted TCP packets sent to port 20171 targeting BKHOdeq.exe; the service listens on this port when the FCS/Test Function is running and is the direct exploitation vector for CVE-2014-0783. ↗
- →The Metasploit module uses an EIP offset of 8660 bytes and a stack pivot adjustment of 108 bytes; anomalously large payloads to port 20171/TCP matching these sizes are a strong indicator of exploitation attempts. ↗
- →The exploit bad characters are ':', CR, and LF; payloads to port 20171/TCP that are large but avoid these bytes may indicate exploitation of this vulnerability. ↗
- →A check probe sending a packet with allocation size 0xffffffff to port 20171/TCP is used by the Metasploit module to fingerprint vulnerable hosts; detect this anomalous oversized allocation request. ↗
- →The ROP chain references DLLs LibBKCCommon.dll, libbkhopx.dll, libbkhOdeq.dll, libbkhCsSrch.dll, and libbkhOdbh.dll; unexpected loading or execution context of these DLLs alongside network activity on port 20171 may indicate post-exploitation. ↗
- ·The Metasploit ROP gadget addresses (e.g., 0x0042068e for the stack pivot) are specific to Yokogawa CENTUM CS 3000 R3.08.50 on Windows XP SP3 / 2003 SP2; they will differ on other versions or OS configurations. ↗
- ·The payload space is 6000 bytes with NOP generation disabled; detection signatures based on payload size should use this as a threshold but note that custom exploits may vary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Yokogawa Multiple Products Vulnerabilities
cisa_ics·2018-09-06
Yokogawa Multiple Products Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa Multiple Products Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-133-01
## OVERVIEW
Yokogawa reports that several buffer overflow vulnerabilities affect several of its products. Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed May 13, 2014. and independent researcher Julian Vilas Diaz reported to CERT/CC that they identified several vulnerabilities for the Yokogawa CENTUM CS 3000 application. In the investigation of this report, Yokogawa found other products that could also be affected. Please see the affected prod
CISA ICS
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
cisa_ics·2014-03-11
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-070-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-14-070-01 Yokogawa CENTUM CS 3000 Vulnerabilities that was published March 11, 2014, on the NCCIC/ICS-CERT web site.
Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed March 11, 2014. and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM
GHSA
GHSA-wq25-8x73-56px: Stack-based buffer overflow in BKHOdeq
ghsa_unreviewed·2022-05-17
CVE-2014-0783 [HIGH] CWE-119 GHSA-wq25-8x73-56px: Stack-based buffer overflow in BKHOdeq
Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
No detection rules found.
Exploit-DB
Yokogawa CENTUM CS 3000 - 'BKHOdeq.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2014-03-12
CVE-2014-0783 Yokogawa CENTUM CS 3000 - 'BKHOdeq.exe' Remote Buffer Overflow (Metasploit)
Yokogawa CENTUM CS 3000 - 'BKHOdeq.exe' Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability
exists in the service BKHOdeq.exe when handling specially crafted packets. This module has
been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows
2003 SP2.
},
'Author' =>
[
'juan vazquez',
'Redsadic '
],
'References' =>
[
[ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
[ 'URL', 'https://community.rapid7.c
Metasploit
Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow
metasploit
Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow
Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKHOdeq.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows 2003 SP2.
http://www.securityfocus.com/bid/66130http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm.https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilitieshttps://www.cisa.gov/news-events/ics-advisories/icsa-14-070-01ahttp://ics-cert.us-cert.gov/advisories/ICSA-14-070-01http://www.securityfocus.com/bid/66111https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
2014-03-14
Published