CVE-2015-2281
published 2015-03-19CVE-2015-2281: Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
10.33%
95.1th percentile
Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message Dispatcher on TCP port 8000.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | single_sign_on | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x80\x01\x42\x42
- →Detect oversized TCP connections to port 8000 targeting collectoragent.exe (FSSO Message Dispatcher); payloads beginning with magic bytes \x80\x01\x42\x42 followed by large buffers (approaching 0xfffff bytes) are indicative of PROCESS_HELLO exploitation attempts. ↗
- →The exploit is pre-authentication; any unauthenticated large TCP payload to port 8000 on FSSO hosts should be treated as suspicious. ↗
- →Monitor for crash or unexpected termination of collectoragent.exe, which is the direct impact of a successful or attempted exploit. ↗
- ·Only FSSO builds prior to build 164 are vulnerable; build 164 and later are patched. Verify installed build number before deploying detections to avoid false positives on patched systems. ↗
- ·Confirmed vulnerable versions include 4.3.0161, 4.3.0151, and 4.3.0129; other versions were not tested but may also be affected. ↗
- ·Because FSSO runs under a Windows Domain Admin or eDirectory Admin account, successful exploitation grants domain-level privileges across the entire network. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2015/Mar/111http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflowhttp://www.fortiguard.com/advisory/2015-02-27-fsso-stack-based-buffer-overflowhttp://www.fortiguard.com/advisory/FG-IR-15-006/http://www.osvdb.org/119719http://www.securityfocus.com/archive/1/534918/100/0/threadedhttp://www.securityfocus.com/bid/73206https://www.exploit-db.com/exploits/36422/http://seclists.org/fulldisclosure/2015/Mar/111http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflowhttp://www.fortiguard.com/advisory/2015-02-27-fsso-stack-based-buffer-overflowhttp://www.fortiguard.com/advisory/FG-IR-15-006/http://www.osvdb.org/119719http://www.securityfocus.com/archive/1/534918/100/0/threadedhttp://www.securityfocus.com/bid/73206https://www.exploit-db.com/exploits/36422/
2015-03-19
Published