CVE-2014-3888
published 2014-07-10CVE-2014-3888: Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00…
PriorityP275high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
62.31%
99.1th percentile
Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yokogawa | b_m9000_vp_software | <= 7.03.01 | — |
| yokogawa | b_m9000cs_software | <= 5.05.01 | — |
| yokogawa | centum_cs_3000_entry_class_software | <= 3.09.50 | — |
| yokogawa | centum_cs_3000_software | <= 2.23.00 | — |
| yokogawa | centum_vp_entry_class_software | <= 5.03.00 | — |
| yokogawa | centum_vp_software | <= 5.03.20 | — |
| yokogawa | centum_vp_software | — | — |
| yokogawa | exaopc | <= 3.72.00 | — |
| yokogawa | exaopc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Monitor for UDP traffic to port 20010 targeting BKFSim_vhfd.exe; exploit packets begin with the fixed 16-byte header 45 54 56 48 01 01 10 09 00 00 00 01 00 00 00 44. ↗
- →Exploit payload space is constrained to 1770 bytes within a maximum packet length of 2228 bytes; oversized UDP packets to port 20010 exceeding normal operational size are suspicious. ↗
- →The stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff / add esp, -3500) may appear in shellcode delivered to port 20010/UDP and can be used as a payload signature. ↗
- →The return address 0x61e55c9c (push esp; ret gadget in LibBKCCommon.dll) appearing in a UDP packet to port 20010 is a strong indicator of exploitation. ↗
- ·The vulnerability is only exploitable when the FCS/Test Function feature is enabled; systems without this feature active are not exposed. ↗
- ·The Metasploit module return address (0x61e55c9c in LibBKCCommon.dll) and offset (438) are specific to Yokogawa Centum CS3000 R3.08.50 on Windows XP SP3; other versions may require different values. ↗
- ·Null bytes (\x00) are bad characters for the payload, meaning shellcode containing null bytes will not function correctly in this exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-87c7-rqg4-7x74: Stack-based buffer overflow in BKFSim_vhfd
ghsa_unreviewed·2022-05-17
CVE-2014-3888 [HIGH] CWE-119 GHSA-87c7-rqg4-7x74: Stack-based buffer overflow in BKFSim_vhfd
Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.
CISA ICS
Yokogawa Centum Buffer Overflow Vulnerability
cisa_ics·2018-09-06
Yokogawa Centum Buffer Overflow Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Yokogawa Centum Buffer Overflow Vulnerability
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-189-01
## OVERVIEW
Researcher group Rapid7 has identified a buffer overflow vulnerability in Yokogawa CENTUM products. Yokogawa has produced a patch that mitigates this vulnerability.
This vulnerability could be exploited remotely.
## AFFECTED PRODUCTS
Yokogawa reports that the vulnerability affects the following products:
- CENTUM CS 1000 all revisions,
- CENTUM CS 3000 R3.09.50 or earlier,
- CENTUM CS 3000 Entry Class R3.09.50 or earlier,
- CENTUM VP R5.03.20 or earlier,
- CE
No detection rules found.
Exploit-DB
Yokogawa CS3000 - 'BKFSim_vhfd.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2014-07-08
CVE-2014-3888 Yokogawa CS3000 - 'BKFSim_vhfd.exe' Remote Buffer Overflow (Metasploit)
Yokogawa CS3000 - 'BKFSim_vhfd.exe' Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',
'Description' => %q{
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create
logs using functions like vsprintf and memcpy in a insecure way. This module has been
tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
},
'Author' =>
[
'Redsadic ',
'juan vazquez'
],
'References' =>
[
['CVE', '2014-3888'],
['URL', 'http://jvn.jp/vu/JVNVU95045914/index
Metasploit
Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow
metasploit
Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow
Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow
This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
http://ics-cert.us-cert.gov/advisories/ICSA-14-189-01http://osvdb.org/show/osvdb/108756http://packetstormsecurity.com/files/127382/Yokogawa-CS3000-BKFSim_vhfd.exe-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/34009http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdfhttp://ics-cert.us-cert.gov/advisories/ICSA-14-189-01http://osvdb.org/show/osvdb/108756http://packetstormsecurity.com/files/127382/Yokogawa-CS3000-BKFSim_vhfd.exe-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/34009http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf
2014-07-10
Published