cbcvebase.
CVE-2016-3962
published 2016-07-03

CVE-2016-3962: Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600…

PriorityP356high7.3CVSS 3.0
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
5.22%
91.5th percentile
Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request.

Affected

1 ranges
VendorProductVersion rangeFixed in
meinbergntp_server_firmware<= 6.0

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/main
  • Exploit sends a crafted HTTP POST to /cgi-bin/main with a 'button' parameter padded with ~10028 bytes of 'A' characters followed by ROP chain gadgets — detect oversized POST bodies to this endpoint.
  • The exploit stages a reverse shell via mkfifo on /tmp/foo and executes /bin/bash through it; monitor for creation of named pipes in /tmp and outbound connections from the NTP server process.
  • ·The ROP gadget addresses and buffer offsets in the exploit are specific to firmware version ELX800/GPS M4x V5.30p (Kernel 2.6.15.1, System Version 530, Lantime configuration utility 1.27); they will differ on other firmware versions.
  • ·The vulnerability affects all listed Meinberg products running firmware Version 6.0 and earlier; firmware 6.20.004 is the patched version.

CVSS provenance

nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.