CVE-2014-0787
published 2014-04-12CVE-2014-0787: Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.02%
96.5th percentile
Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingscada | < v3.1.2.13 | v3.1.2.13 |
| wellintech | kingscada | <= 3.1.2 | — |
| wellintech | kingscada | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
buf[0,4]=0x000004d2, buf[4,4]=0x0000007b, buf[8,4]=0x0000133c
bytes↗
\xe9\x4b\xfb\xff\xff (jmp $-1200 at offset 2136)
- →Monitor for large crafted TCP packets (~5000 bytes) sent to port 12401 (KingSCADA AlarmServer) containing the magic header bytes 0xd2040000 / 0x7b000000 / 0x3c130000 at offsets 0, 4, and 8 respectively — characteristic of exploit buffer construction. ↗
- →Detect the SEH-overwrite exploit pattern: look for the near-jump stub bytes \xe9\x4b\xfb\xff\xff within a large packet to port 12401, indicating a backward JMP used to reach shellcode. ↗
- →The vulnerability overwrites the Structured Exception Handler (SEH); alert on SEH-chain corruption events in KingSCADA processes receiving network input on port 12401. ↗
- →Payload bad-character set for this exploit is \x00\x0a\x0d\x20; any IDS signature for the exploit payload on port 12401 should account for these bytes being absent from shellcode. ↗
- ·The ROP gadget address (0x02881fbf in dbghelp.dll) is specific to Windows XP SP3 EN with KingSCADA 3.1.1.4; the exploit target and return address will differ on other OS/application version combinations. ↗
- ·All KingSCADA versions prior to v3.1.2.13 are affected; the Metasploit module targets version 3.1.1.4 specifically but the vulnerability is present across all earlier versions. ↗
- ·The exploit uses EXITFUNC=process, meaning successful exploitation terminates the AlarmServer process rather than spawning a thread — this may cause service disruption detectable as an unexpected process exit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
WellinTech KingSCADA Stack-Based Buffer Overflow
cisa_ics·2018-09-06
WellinTech KingSCADA Stack-Based Buffer Overflow
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
WellinTech KingSCADA Stack-Based Buffer Overflow
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-098-02
## OVERVIEW
An anonymous researcher working with HP’s Zero Day Initiative has identified a stack-based buffer overflow in the WellinTech KingSCADA Stack. WellinTech has produced a patch that mitigates this vulnerability.
This vulnerability could be exploited remotely.
## AFFECTED PRODUCTS
The following WellinTech KingSCADA products are affected:
- KingSCADA, all versions prior to v3.1.2.13
## IMPACT
Successful exploitation of the reported vulnerability could allow an at
GHSA
GHSA-6v32-xp4p-pj52: Stack-based buffer overflow in WellinTech KingSCADA before 3
ghsa_unreviewed·2022-05-17
CVE-2014-0787 [HIGH] CWE-119 GHSA-6v32-xp4p-pj52: Stack-based buffer overflow in WellinTech KingSCADA before 3
Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/66709http://www.wellintech.com/index.php?option=com_content&view=article&id=56&Itemid=11https://www.cisa.gov/news-events/ics-advisories/icsa-14-098-02https://www.exploit-db.com/exploits/42724/http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02http://www.securityfocus.com/bid/66709https://www.exploit-db.com/exploits/42724/
2014-04-12
Published