cbcvebase.
CVE-2014-2072
published 2020-01-08

CVE-2014-2072: Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadequate boundary checks

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.43%
93.7th percentile
Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadequate boundary checks

Affected

1 ranges
VendorProductVersion rangeFixed in
3dscatia

Detection & IOCsextracted from sources · hover to see the quote

port55555
commandAppToBusInitMsg
bytes
\x00\x01\x00\x30 + 'A'*20 + 'AppToBusInitMsg'\x00 + \x00*48 + 'CATV5_Backbone_Bus'\x00 + \x00*49 + \x00\x00\x00\x00
bytes
\x02\x00\x00\x00 + RetAdd*3 + ... + 'CATV5_AllApplications'\x00 + \x00*43 + \x00\x00\x98 + \x00\x00\x00\x01 + \x00*4 + \x08\x00\x00\x00 + Shell
  • Monitor for TCP connections to ports 55555 and 55558, which are targeted by the exploit against the CATIA V5 Backbone Bus service.
  • Detect network traffic containing the magic header bytes \x00\x01\x00\x30 followed by 20 bytes of padding and the string 'AppToBusInitMsg', characteristic of the exploit's first-stage initialisation packet.
  • Detect network traffic containing the string 'CATV5_AllApplications' in the second-stage exploit packet, preceded by the opcode \x02\x00\x00\x00, as a high-fidelity indicator of active exploitation.
  • The exploit sends a length-prefixed (big-endian 4-byte) TCP stream; alert on oversized messages to the CATIA Backbone Bus service where the payload length prefix is followed by a buffer containing 'CATV5_Backbone_Bus' or 'CATV5_AllApplications'.
  • This is a stack-based buffer overflow exploited over TCP; look for abnormally large payloads (e.g. 1000+ byte shell buffers) sent to the CATIA Backbone Bus listener.
  • ·The exploit uses a placeholder NOP return address (\x90\x90\x90\x90) repeated three times; real-world attacks will substitute a valid return/ROP address specific to the target system, so the RetAdd bytes alone are not a reliable detection anchor.
  • ·The secondary target IP and port (192.168.0.5:55558) are commented out in the PoC, suggesting the service may run on varying ports; defenders should enumerate the actual listening port of CATV5_Backbone_Bus in their environment.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.