cbcvebase.
CVE-2014-2364
published 2014-07-19

CVE-2014-2364: Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1)…

PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.38%
99.1th percentile
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.

Affected

6 ranges
VendorProductVersion rangeFixed in
advantechadvantech_webaccess<= 7.1
advantechadvantech_webaccess
advantechadvantech_webaccess
advantechadvantech_webaccess
advantechwebaccess<= 7.1
gnubash>= 0 < 4.3-7ubuntu1.54.3-7ubuntu1.5

Detection & IOCsextracted from sources · hover to see the quote

filenamedvs.ocx
filenamewebvact.ocx
filenamewebdact.ocx
other{5CE92A27-9F6A-11D2-9D3D-000001155641}
pathbroadweb\include\gChkCook.asp
commandtest.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0)
bytes
\x81\xc4\x9c\xff\xff\xff
bytes
\x64\xa1\x18\x00\x00\x00\x83\xC0\x08\x8b\x20\x81\xC4\x30\xF8\xFF\xFF
  • Detect ActiveX instantiation of the dvs.ocx control by its CLSID {5CE92A27-9F6A-11D2-9D3D-000001155641} followed by a call to the GetColor method with an oversized string argument (offset of 61 bytes before ROP chain).
  • Monitor for stack-pivot shellcode prepend sequence 0x81 0xC4 0x9C 0xFF 0xFF 0xFF (add esp, -100) in browser process memory or network payloads, indicative of the exploit encoder stub.
  • Alert on ROP gadgets sourced from ijl11.dll (base 0x60010000 range) being chained in heap/stack memory of iexplore.exe, particularly addresses 0x6001f1c8, 0x60012288, 0x6002157e, 0x60022b97, 0x60024ea4, 0x60029f6c, 0x600250c8, 0x60018399.
  • Detect HTTP responses containing the CLSID string '5CE92A27-9F6A-11D2-9D3D-000001155641' combined with a JavaScript call to GetColor with a long alphanumeric string argument (>61 chars), delivered with 'Pragma: no-cache' header.
  • Flag authentication bypass attempts against Advantech WebAccess where HTTP cookies contain user, proj, scada parameters with bwuser=true, targeting pages under broadweb/include/gChkCook.asp.
  • Monitor for post-exploitation process migration activity (migrate -f) spawned from iexplore.exe, consistent with the Metasploit module's InitialAutoRunScript.
  • Exploit targets Internet Explorer (MSIE user-agent) on Windows; alert on IE processes loading dvs.ocx, webvact.ocx, or webdact.ocx from non-standard paths.
  • ·The Metasploit ROP chain uses gadgets specifically from ijl11.dll version 1.1.2.16; the exploit will fail against targets with a different version of this DLL, limiting reliable exploitation to specific patch levels.
  • ·The exploit payload bad characters exclude null bytes, newlines, carriage returns, and backslashes (\x00\x0a\x0d\x5c), so any detection or emulation must account for encoded payloads avoiding these bytes.
  • ·The module was tested only on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8/IE9; reliability on other OS/browser combinations is unconfirmed.
  • ·Affected versions are Advantech WebAccess v7.1 and earlier; v7.2 (released June 6, 2014) removes or patches the vulnerable ActiveX components, so detections targeting the OCX files are only relevant on unpatched deployments.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.