cbcvebase.
CVE-2014-3913
published 2014-06-04

CVE-2014-3913: Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.86%
99.0th percentile
Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent file.

Detection & IOCsextracted from sources · hover to see the quote

processAccessServer32.exe
port8080
url/AccessNow/start.html
other0x104da1e5
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploit attempts by monitoring HTTP requests to port 8080 targeting the Ericom AccessNow Server with a malformed/non-existent file URI — the exploit sends a request with a random alpha character followed by a space to trigger the vsprintf overflow.
  • Fingerprint vulnerable Ericom AccessNow Server instances by checking for 'Ericom AccessNow Server' or 'Ericom Access Server' in the HTTP Server response header on port 8080.
  • The exploit uses a ROP chain sourced entirely from AccessNowAccelerator32.dll; presence of this DLL loaded in AccessServer32.exe combined with network exploitation activity is a strong indicator of compromise.
  • The ROP chain calls VirtualAlloc via IAT pointer 0x105c6294 in AccessNowAccelerator32.dll; monitor for VirtualAlloc calls originating from AccessServer32.exe as a post-exploitation indicator.
  • The overflow offset is 30668 bytes; unusually large HTTP request bodies (~30KB+) to port 8080 on Ericom AccessNow Server should be flagged for inspection.
  • ·The Metasploit module and its ROP chain were tested only against Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2; ROP gadget addresses and offsets will differ on other versions or OS patch levels.
  • ·Bad characters \x00, \x0d, \x0a are filtered by the vulnerable code path; any payload or signature must avoid these bytes.
  • ·The RopOffset is 62, meaning the ROP chain begins 62 bytes before the main overflow offset of 30668; detection signatures based on buffer size must account for this layout.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.