CVE-2014-0784
published 2014-03-14CVE-2014-0784: Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP…
PriorityP268high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
36.04%
98.3th percentile
Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yokogawa | centum_cs_3000 | <= r3.09.50 | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_cs_3000 | — | — |
| yokogawa | centum_vp | <= r4.03.00 | — |
| yokogawa | centum_vp | — | — |
| yokogawa | centum_vp | — | — |
| yokogawa | centum_vp | — | — |
| yokogawa | centum_vp | — | — |
| yokogawa | exaopc | <= 3.71.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff\xff\xff
- →Detect exploit attempts by monitoring for TCP connections to port 20111 containing a packet beginning with 'RETR ' followed by a large payload and a newline terminator — the exploit sends exactly this structure to trigger the overflow in BKBCopyD.exe. ↗
- →A probe/check packet is a random 10-character alpha string followed by a newline sent to port 20111/TCP; a vulnerable host responds with '500 \'yyparse error\': command not understood'. ↗
- →Monitor for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff\xff\xff in TCP payloads on port 20111 — this is prepended to shellcode by the Metasploit module. ↗
- →Alert on any external/untrusted network traffic to Port 20111/TCP targeting CENTUM CS 3000 systems; Yokogawa explicitly recommends blocking external data communications on this port. ↗
- ·The Metasploit module ROP gadget (0x6404625d — push esp; ret) is specific to libBKBUtil.dll as shipped with CENTUM CS 3000 R3.08.50 on Windows XP SP3; the return address will differ on other versions or OS configurations. ↗
- ·Payload space is constrained to 373 bytes and bad characters \x00\x0d\x0a\xff are forbidden, which limits shellcode options and may affect detection signatures based on payload content. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhmg-5gcw-wqfw: Stack-based buffer overflow in BKBCopyD
ghsa_unreviewed·2022-05-17
CVE-2014-0784 [HIGH] CWE-119 GHSA-fhmg-5gcw-wqfw: Stack-based buffer overflow in BKBCopyD
Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.
GHSA
GHSA-52h8-fmg8-32xq: BKBCopyD
ghsa_unreviewed·2022-05-17·CVSS 8.3
CVE-2014-5208 [HIGH] CWE-284 GHSA-52h8-fmg8-32xq: BKBCopyD
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784.
CISA ICS
Yokogawa Multiple Products Vulnerabilities
cisa_ics·2018-09-06
Yokogawa Multiple Products Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa Multiple Products Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-133-01
## OVERVIEW
Yokogawa reports that several buffer overflow vulnerabilities affect several of its products. Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed May 13, 2014. and independent researcher Julian Vilas Diaz reported to CERT/CC that they identified several vulnerabilities for the Yokogawa CENTUM CS 3000 application. In the investigation of this report, Yokogawa found other products that could also be affected. Please see the affected prod
CISA ICS
Yokogawa CENTUM and Exaopc Vulnerability (Update A)
cisa_ics·2014-09-17
Yokogawa CENTUM and Exaopc Vulnerability (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa CENTUM and Exaopc Vulnerability (Update A)
Last RevisedSeptember 05, 2018
Alert CodeICSA-14-260-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-14-260-01 Yokogawa CENTUM and Exaopc Vulnerability that was published September 17, 2014, on the NCCIC/ICS-CERT web site.
Tod Beardsley of Rapid7 Inc. and Jim Denaro of CipherLaw have identified an authentication vulnerability and released proof-of-concept (exploit) code for the Yokogawa CENTUM CS 3000 series and Exaopc products. JPCERT and Yokogawa have mitigated this vulnerability.
T
CISA ICS
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
cisa_ics·2014-03-11
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-070-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-14-070-01 Yokogawa CENTUM CS 3000 Vulnerabilities that was published March 11, 2014, on the NCCIC/ICS-CERT web site.
Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed March 11, 2014. and independent researcher Julian Vilas Diaz have identified several buffer overflow vulnerabilities and released proof-of-concept (exploit) code for the Yokogawa CENTUM
No detection rules found.
Exploit-DB
Yokogawa CENTUM CS 3000 - 'BKBCopyD.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2014-03-12
CVE-2014-0784 Yokogawa CENTUM CS 3000 - 'BKBCopyD.exe' Remote Buffer Overflow (Metasploit)
Yokogawa CENTUM CS 3000 - 'BKBCopyD.exe' Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability
exists in the service BKBCopyD.exe when handling specially crafted packets. This module has
been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.
},
'Author' =>
[
'juan vazquez',
'Redsadic '
],
'References' =>
[
[ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
[ 'URL', 'https://community.rapid7.com/community/metas
Metasploit
Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow
metasploit
Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow
Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow
This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability exists in the service BKBCopyD.exe when handling specially crafted packets. This module has been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/66130http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm.https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilitieshttps://www.cisa.gov/news-events/ics-advisories/icsa-14-070-01ahttp://ics-cert.us-cert.gov/advisories/ICSA-14-070-01http://www.securityfocus.com/bid/66114https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
2014-03-14
Published