cbcvebase.
CVE-2015-7874
published 2020-01-15

CVE-2015-7874: Buffer overflow in the chat server in KiTTY Portable 0.65.0.2p and earlier allows remote attackers to execute arbitrary code via a long nickname.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.89%
96.1th percentile
Buffer overflow in the chat server in KiTTY Portable 0.65.0.2p and earlier allows remote attackers to execute arbitrary code via a long nickname.

Affected

1 ranges
VendorProductVersion rangeFixed in
portappskitty_portable<= 0.65.0.2p

Detection & IOCsextracted from sources · hover to see the quote

port1987
  • Monitor for TCP connections to port 1987 (KiTTY chat server default port); unexpected external connections to this port may indicate exploitation attempts.
  • Detect oversized nickname fields sent to the KiTTY chat server; the exploit triggers a buffer overflow at offset 54 with buffers ranging from 160 to 196 bytes depending on OS.
  • Detect SEH-based exploitation pattern: exploit uses POP POP RET gadgets from the KiTTY executable itself (not protected by SafeSEH/ASLR/DEP), with nseh jump short stub followed by SEH overwrite.
  • Detect 100% CPU utilization on one or more cores associated with the KiTTY process following a chat connection; each exploit buffer contains an infinite loop stub (\xEB\xFA\x90\x90) that spins a CPU core.
  • Look for the infinite-loop byte sequence \x90\x90\x90\x90\xEB\xFA\x90\x90 in network payloads destined for port 1987, used by the exploit to stall intermediate shellcode slices.
  • The exploit targets KiTTY versions 0.65.0.2p and earlier (also confirmed on 0.63.2.2p and 0.62.1.2p); inventory and flag any deployment of these versions.
  • The exploit requires 'Chat=1' set in kitty.ini; detection of this configuration key combined with the process listening on port 1987 indicates an exploitable attack surface.
  • ·The exploit only works when the KiTTY chat feature is explicitly enabled via kitty.ini; the attack surface does not exist in default installations without this configuration.
  • ·The buffer offset varies by OS (160 bytes on WinXP, 180 on Win7, 196 on Win10), and the shellcode slice size must also be reduced on XP (98 bytes vs 118); SEH gadget addresses differ across KiTTY versions.
  • ·The exploit is not affected by system DEP, ASLR, or SafeSEH because it uses gadget addresses from the KiTTY main executable, which is unprotected; mitigations at the OS level are insufficient without patching the application.
  • ·The destination memory address for shellcode reassembly is derived from ECX at time of crash (ECX + 0x0006EEC6); reuse of this technique on other vulnerabilities may require a different register or stack-based address.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.