CVE-2014-2072
published 2020-01-08CVE-2014-2072: Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadequate boundary checks
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.43%
93.7th percentile
Dassault Systemes Catia V5-6R2013: Stack Buffer Overflow due to inadequate boundary checks
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3ds | catia | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01\x00\x30 + 'A'*20 + 'AppToBusInitMsg'\x00 + \x00*48 + 'CATV5_Backbone_Bus'\x00 + \x00*49 + \x00\x00\x00\x00
bytes↗
\x02\x00\x00\x00 + RetAdd*3 + ... + 'CATV5_AllApplications'\x00 + \x00*43 + \x00\x00\x98 + \x00\x00\x00\x01 + \x00*4 + \x08\x00\x00\x00 + Shell
- →Monitor for TCP connections to ports 55555 and 55558, which are targeted by the exploit against the CATIA V5 Backbone Bus service. ↗
- →Detect network traffic containing the magic header bytes \x00\x01\x00\x30 followed by 20 bytes of padding and the string 'AppToBusInitMsg', characteristic of the exploit's first-stage initialisation packet. ↗
- →Detect network traffic containing the string 'CATV5_AllApplications' in the second-stage exploit packet, preceded by the opcode \x02\x00\x00\x00, as a high-fidelity indicator of active exploitation. ↗
- →The exploit sends a length-prefixed (big-endian 4-byte) TCP stream; alert on oversized messages to the CATIA Backbone Bus service where the payload length prefix is followed by a buffer containing 'CATV5_Backbone_Bus' or 'CATV5_AllApplications'. ↗
- →This is a stack-based buffer overflow exploited over TCP; look for abnormally large payloads (e.g. 1000+ byte shell buffers) sent to the CATIA Backbone Bus listener. ↗
- ·The exploit uses a placeholder NOP return address (\x90\x90\x90\x90) repeated three times; real-world attacks will substitute a valid return/ROP address specific to the target system, so the RetAdd bytes alone are not a reliable detection anchor. ↗
- ·The secondary target IP and port (192.168.0.5:55558) are commented out in the PoC, suggesting the service may run on varying ports; defenders should enumerate the actual listening port of CATV5_Backbone_Bus in their environment. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/125308/Catia-V5-6R2013-Stack-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/65675https://www.exploit-database.net/?id=60103http://packetstormsecurity.com/files/125308/Catia-V5-6R2013-Stack-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/65675https://www.exploit-database.net/?id=60103
2020-01-08
Published