CVE-2014-5289
published 2019-12-27CVE-2014-5289: Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.02%
95.6th percentile
Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| senkas_kolibri_project | senkas_kolibri | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7B\x46\x86\x7C
bytes↗
\xED\x1E\x94\x7C
bytes↗
\xEB\x99
bytes↗
\x43\x44\x44\x45\x43\x44\x44\x45
bytes↗
\x43\x44\x44\x45
- →Detect exploit by matching HTTP POST requests where the URI is abnormally long (515+ bytes for XP targets, 790+ bytes for Windows Vista/7 targets), consistent with the buffer overflow trigger. ↗
- →Detect exploit traffic by matching the HTTP response banner 'server: kolibri-2.0' — the exploit itself checks for this string to confirm a vulnerable target before launching the attack. ↗
- →Detect exploit by looking for HTTP POST requests with User-Agent 'Wget/1.13.4' combined with an oversized URI, as used by this specific exploit. ↗
- →Detect the egghunter tag bytes 0x43 0x44 0x44 0x45 (repeated twice as CDDECDE) in the HTTP POST URI or Host header payload for the Windows Vista/7 exploit variant. ↗
- →Detect the SEH overwrite pattern: NSEH short jump bytes \xEB\x99 followed by SEH handler address \xD1\x87\x44 (004487D1) in the overflow payload for the Windows 7 variant. ↗
- →The exploit places shellcode in the HTTP Host header (not the URI) for the Windows 7 variant — inspect Host header content for binary shellcode bytes. ↗
- ·The exploit claims to bypass all EMET 5.0 and EMET 4.1 protections except DEP. If DEP is enabled on the target, the exploit will fail. Detection should not rely solely on EMET alerting. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127912/Senkas-Kolibri-WebServer-2.0-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/69263https://exchange.xforce.ibmcloud.com/vulnerabilities/95350http://packetstormsecurity.com/files/127912/Senkas-Kolibri-WebServer-2.0-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/69263https://exchange.xforce.ibmcloud.com/vulnerabilities/95350
2019-12-27
Published