CVE-2017-11309
published 2017-11-10CVE-2017-11309: Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response.
PriorityP357critical9.6CVSS 3.0
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
9.40%
94.8th percentile
Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avaya | ip_office | < 10.1.1 | 10.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect a malicious server sending an oversized response to an Avaya SoftConsole client outbound connection; the exploit payload begins with 452 'A' bytes followed by a NOP sled and shellcode, delivered over TCP port 80. ↗
- →Alert on SoftConsole.exe spawning unexpected child processes (e.g., wusa.exe) — the PoC shellcode launches wusa.exe as its payload. ↗
- →Look for SEH-based exploitation patterns in memory of SoftConsole.exe: SEH handler overwritten with address 0x50E149FD inside IndyCore190.bpl, which has no SafeSEH/ASLR protections. ↗
- →Monitor for network connections from SoftConsole.exe to untrusted/external servers; the attack requires the Avaya user to connect to an attacker-controlled server. ↗
- ·The exploit targets IndyCore190.bpl (v19.0.14356.6604) loaded by SoftConsole.exe with no ASLR, no Rebase, and no SafeSEH — the ROP/SEH gadget addresses are only reliable on systems where this DLL is loaded at its default base address. ↗
- ·The shellcode was tested on Windows 7 only; reliability on other OS versions is unconfirmed. ↗
- ·Affected versions are Avaya IP Office 9.1.0 through 10.1; versions 10.1.1 and later are patched. ↗
CVSS provenance
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://downloads.avaya.com/css/P8/documents/101044086http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-%28IPO%29-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txthttp://packetstormsecurity.com/files/144883/Avaya-IP-Office-IPO-10.1-Soft-Console-Remote-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/101674https://www.exploit-db.com/exploits/43121/http://downloads.avaya.com/css/P8/documents/101044086http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-%28IPO%29-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txthttp://packetstormsecurity.com/files/144883/Avaya-IP-Office-IPO-10.1-Soft-Console-Remote-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/101674https://www.exploit-db.com/exploits/43121/
2017-11-10
Published