cbcvebase.
CVE-2014-100015
published 2015-01-13

CVE-2014-100015: Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in…

PriorityP262medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
57.37%
99.0th percentile
Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.

Affected

1 ranges
VendorProductVersion rangeFixed in
solidworksproduct_data_management

Detection & IOCsextracted from sources · hover to see the quote

port30000
processpdmwService.exe
path\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\
path\WINDOWS\system32\wbem\mof\
bytes
\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00
  • Detect exploit traffic by matching the 4-byte opcode \xD0\x07\x00\x00 at the start of a TCP stream on port 30000, followed by a filename field containing null-byte-padded dot-dot sequences (..\) indicating directory traversal.
  • Monitor port 30000/TCP for inbound connections to pdmwService.exe; any file upload request containing '..' (dot dot) in the filename field is indicative of exploitation.
  • Alert on unexpected .exe or .mof files written to the Windows Startup folder for all users or to \WINDOWS\system32\wbem\mof\ by pdmwService.exe, as these are the payload delivery paths used by the Metasploit module.
  • The Metasploit module uses a traversal depth of 10 (default) '..\' sequences in the filename; network signatures should account for repeated null-byte-padded '..\' patterns in the filename field of the protocol.
  • Every character in the filename is followed by 0x00 (UTF-16LE encoding); detection should parse the filename field as wide-character strings when inspecting for traversal sequences.
  • ·The exploit targets port 30000/TCP by default; ensure network monitoring covers this non-standard port on hosts running pdmwService.exe.
  • ·The traversal depth is configurable in the Metasploit module (default 10); signatures relying on a fixed number of '..\ ' repetitions may miss exploitation attempts using non-default depths.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.