cbcvebase.
CVE-2014-0783
published 2014-03-14

CVE-2014-0783: Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP…

PriorityP274critical9CVSS 2.0
AVNACLAuNCPIPAC
EXPLOIT
EPSS
68.36%
99.2th percentile
Stack-based buffer overflow in BKHOdeq.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.

Affected

13 ranges
VendorProductVersion rangeFixed in
yokogawacentum_cs_3000< R3.09.50R3.09.50
yokogawacentum_cs_3000<= r3.09.50
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000

Detection & IOCsextracted from sources · hover to see the quote

port20171/TCP
port20109/TCP
processBKHOdeq.exe
other0x0042068e
other0x61e729dd
other0x63a93f6f
other0x63ad1f6a
other0x63dd3812
other0x61e60b4c
other0x63ae5cc3
  • Monitor for crafted TCP packets sent to port 20171 targeting BKHOdeq.exe; the service listens on this port when the FCS/Test Function is running and is the direct exploitation vector for CVE-2014-0783.
  • The Metasploit module uses an EIP offset of 8660 bytes and a stack pivot adjustment of 108 bytes; anomalously large payloads to port 20171/TCP matching these sizes are a strong indicator of exploitation attempts.
  • The exploit bad characters are ':', CR, and LF; payloads to port 20171/TCP that are large but avoid these bytes may indicate exploitation of this vulnerability.
  • A check probe sending a packet with allocation size 0xffffffff to port 20171/TCP is used by the Metasploit module to fingerprint vulnerable hosts; detect this anomalous oversized allocation request.
  • The ROP chain references DLLs LibBKCCommon.dll, libbkhopx.dll, libbkhOdeq.dll, libbkhCsSrch.dll, and libbkhOdbh.dll; unexpected loading or execution context of these DLLs alongside network activity on port 20171 may indicate post-exploitation.
  • ·The Metasploit ROP gadget addresses (e.g., 0x0042068e for the stack pivot) are specific to Yokogawa CENTUM CS 3000 R3.08.50 on Windows XP SP3 / 2003 SP2; they will differ on other versions or OS configurations.
  • ·The payload space is 6000 bytes with NOP generation disabled; detection signatures based on payload size should use this as a threshold but note that custom exploits may vary.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.