cbcvebase.
CVE-2014-2994
published 2014-04-27

CVE-2014-2994: Stack-based buffer overflow in Acunetix Web Vulnerability Scanner (WVS) 8 build 20120704 allows remote attackers to execute arbitrary code via an HTML file…

PriorityP258critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
26.22%
97.7th percentile
Stack-based buffer overflow in Acunetix Web Vulnerability Scanner (WVS) 8 build 20120704 allows remote attackers to execute arbitrary code via an HTML file containing an IMG element with a long URL (src attribute).

Affected

1 ranges
VendorProductVersion rangeFixed in
acunetixweb_vulnerability_scanner

Detection & IOCsextracted from sources · hover to see the quote

filenameExploit.htm
port4444
bytes
\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49
  • The exploit is triggered by an HTML file containing an IMG element with a long URL in the src attribute, delivered via an external host. Detect scanning of HTML files with anomalously long IMG src attribute values (stack overflow trigger).
  • The exploit payload uses x86/alpha_mixed encoding (alphanumeric shellcode). Network or file-based detection should look for large blocks of printable ASCII shellcode bytes embedded in HTML IMG src attributes.
  • The malicious HTML file must be hosted on an external server and the victim (Acunetix WVS 8 build 20120704) must be configured to scan an external host to trigger the vulnerability.
  • Bind shell payload opens TCP port 4444 on the victim. Monitor for unexpected listening services on port 4444 on hosts running Acunetix WVS.
  • ·Vulnerability is specific to Acunetix WVS version 8, build 20120704 only. Other builds or versions are not confirmed affected.
  • ·The exploit was tested only on Windows XP SP2 (English). Exploitation reliability on other Windows versions is unconfirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.