cbcvebase.
CVE-2014-3888
published 2014-07-10

CVE-2014-3888: Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00…

PriorityP275high8.3CVSS 2.0
AVNACMAuNCPIPAC
EXPLOIT
EPSS
62.31%
99.1th percentile
Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R5.03.20 and earlier, Exaopc R3.72.00 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier, when FCS/Test Function is enabled, allows remote attackers to execute arbitrary code via a crafted packet.

Affected

9 ranges
VendorProductVersion rangeFixed in
yokogawab_m9000_vp_software<= 7.03.01
yokogawab_m9000cs_software<= 5.05.01
yokogawacentum_cs_3000_entry_class_software<= 3.09.50
yokogawacentum_cs_3000_software<= 2.23.00
yokogawacentum_vp_entry_class_software<= 5.03.00
yokogawacentum_vp_software<= 5.03.20
yokogawacentum_vp_software
yokogawaexaopc<= 3.72.00
yokogawaexaopc

Detection & IOCsextracted from sources · hover to see the quote

port20010
other0x61e55c9c
processBKFSim_vhfd.exe
bytes
\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44
bytes
\x81\xc4\x54\xf2\xff\xff
  • Monitor for UDP traffic to port 20010 targeting BKFSim_vhfd.exe; exploit packets begin with the fixed 16-byte header 45 54 56 48 01 01 10 09 00 00 00 01 00 00 00 44.
  • Exploit payload space is constrained to 1770 bytes within a maximum packet length of 2228 bytes; oversized UDP packets to port 20010 exceeding normal operational size are suspicious.
  • The stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff / add esp, -3500) may appear in shellcode delivered to port 20010/UDP and can be used as a payload signature.
  • The return address 0x61e55c9c (push esp; ret gadget in LibBKCCommon.dll) appearing in a UDP packet to port 20010 is a strong indicator of exploitation.
  • ·The vulnerability is only exploitable when the FCS/Test Function feature is enabled; systems without this feature active are not exposed.
  • ·The Metasploit module return address (0x61e55c9c in LibBKCCommon.dll) and offset (438) are specific to Yokogawa Centum CS3000 R3.08.50 on Windows XP SP3; other versions may require different values.
  • ·Null bytes (\x00) are bad characters for the payload, meaning shellcode containing null bytes will not function correctly in this exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.