CVE-2014-3913
published 2014-06-04CVE-2014-3913: Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.86%
99.0th percentile
Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent file.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploit attempts by monitoring HTTP requests to port 8080 targeting the Ericom AccessNow Server with a malformed/non-existent file URI — the exploit sends a request with a random alpha character followed by a space to trigger the vsprintf overflow. ↗
- →Fingerprint vulnerable Ericom AccessNow Server instances by checking for 'Ericom AccessNow Server' or 'Ericom Access Server' in the HTTP Server response header on port 8080. ↗
- →The exploit uses a ROP chain sourced entirely from AccessNowAccelerator32.dll; presence of this DLL loaded in AccessServer32.exe combined with network exploitation activity is a strong indicator of compromise. ↗
- →The ROP chain calls VirtualAlloc via IAT pointer 0x105c6294 in AccessNowAccelerator32.dll; monitor for VirtualAlloc calls originating from AccessServer32.exe as a post-exploitation indicator. ↗
- →The overflow offset is 30668 bytes; unusually large HTTP request bodies (~30KB+) to port 8080 on Ericom AccessNow Server should be flagged for inspection. ↗
- ·The Metasploit module and its ROP chain were tested only against Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2; ROP gadget addresses and offsets will differ on other versions or OS patch levels. ↗
- ·Bad characters \x00, \x0d, \x0a are filtered by the vulnerable code path; any payload or signature must avoid these bytes. ↗
- ·The RopOffset is 62, meaning the ROP chain begins 62 bytes before the main overflow offset of 30668; detection signatures based on buffer size must account for this layout. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ericom AccessNow Server - Remote Buffer Overflow (Metasploit)
exploitdb·2014-06-19
CVE-2014-3913 Ericom AccessNow Server - Remote Buffer Overflow (Metasploit)
Ericom AccessNow Server - Remote Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Ericom AccessNow Server Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
vulnerability is due to an insecure usage of vsprintf with user controlled data,
which can be triggered with a malformed HTTP request. This module has been tested
successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003
Server SP2.
},
'Author' =>
[
'Unknown', # Vulnerability Discovery
'juan vazquez', # Metasploit Module
],
'References' =>
[
['ZDI', '14-160'],
['CVE', '2014-3913']
Metasploit
Ericom AccessNow Server Buffer Overflow
metasploit
Ericom AccessNow Server Buffer Overflow
Ericom AccessNow Server Buffer Overflow
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This module has been tested successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127152/Ericom-AccessNow-Server-Buffer-Overflow.htmlhttp://www.ericom.com/security-ERM-2014-610.asphttp://www.exploit-db.com/exploits/33817http://www.securityfocus.com/bid/67777http://www.zerodayinitiative.com/advisories/ZDI-14-160http://packetstormsecurity.com/files/127152/Ericom-AccessNow-Server-Buffer-Overflow.htmlhttp://www.ericom.com/security-ERM-2014-610.asphttp://www.exploit-db.com/exploits/33817http://www.securityfocus.com/bid/67777http://www.zerodayinitiative.com/advisories/ZDI-14-160
2014-06-04
Published