cbcvebase.
CVE-2015-3036
published 2015-05-21

CVE-2015-3036: Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in certain NETGEAR products, TP-LINK…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
27.91%
97.9th percentile
Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in certain NETGEAR products, TP-LINK products, and other products, allows remote attackers to execute arbitrary code by providing a long computer name in a session on TCP port 20005.

Detection & IOCsextracted from sources · hover to see the quote

port20005
otherAES ECB key: 5c130b59d262426449ed4883382d5eaecc (hex)
otherAES key0 (hex): 0B7928FF6A76223C21A3B794084E1CAD
otherAES key1 (hex): A2353556541CFE44EC468248064DE66C
bytes
\x56\x05
bytes
\x56\x03
  • Detect exploit attempts by monitoring for TCP connections to port 20005 where the computer name field length is >= 128 bytes (DOS_BYTES = 128 triggers the stack buffer overflow).
  • The exploit initiates sessions with a 2-byte magic hello packet (\x56\x05 or \x56\x03) followed by 16 bytes of random data for AES handshake; alert on TCP port 20005 sessions starting with these byte sequences.
  • ·The DoS exploit (38566) was tested on NETGEAR DC112A; behavior on other affected vendors (TP-LINK, etc.) may differ.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.