cbcvebase.
CVE-2014-0784
published 2014-03-14

CVE-2014-0784: Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP…

PriorityP268high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
36.04%
98.3th percentile
Stack-based buffer overflow in BKBCopyD.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via a crafted TCP packet.

Affected

19 ranges
VendorProductVersion rangeFixed in
yokogawacentum_cs_3000<= r3.09.50
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_cs_3000
yokogawacentum_vp<= r4.03.00
yokogawacentum_vp
yokogawacentum_vp
yokogawacentum_vp
yokogawacentum_vp
yokogawaexaopc<= 3.71.10

Detection & IOCsextracted from sources · hover to see the quote

processBKBCopyD.exe
commandRETR <123 bytes padding><0x6404625d><payload>\n
other0x6404625d (push esp # ret # libBKBUtil.dll)
bytes
\x81\xc4\x54\xf2\xff\xff\xff\xff
  • Detect exploit attempts by monitoring for TCP connections to port 20111 containing a packet beginning with 'RETR ' followed by a large payload and a newline terminator — the exploit sends exactly this structure to trigger the overflow in BKBCopyD.exe.
  • A probe/check packet is a random 10-character alpha string followed by a newline sent to port 20111/TCP; a vulnerable host responds with '500 \'yyparse error\': command not understood'.
  • Monitor for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff\xff\xff in TCP payloads on port 20111 — this is prepended to shellcode by the Metasploit module.
  • Alert on any external/untrusted network traffic to Port 20111/TCP targeting CENTUM CS 3000 systems; Yokogawa explicitly recommends blocking external data communications on this port.
  • ·The Metasploit module ROP gadget (0x6404625d — push esp; ret) is specific to libBKBUtil.dll as shipped with CENTUM CS 3000 R3.08.50 on Windows XP SP3; the return address will differ on other versions or OS configurations.
  • ·Payload space is constrained to 373 bytes and bad characters \x00\x0d\x0a\xff are forbidden, which limits shellcode options and may affect detection signatures based on payload content.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.