CVE-2017-13696
published 2018-01-24CVE-2017-13696: A buffer overflow vulnerability lies in the web server component of Dup Scout Enterprise 9.9.14, Disk Savvy Enterprise 9.9.14, Sync Breeze Enterprise 9.9.16…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.67%
99.6th percentile
A buffer overflow vulnerability lies in the web server component of Dup Scout Enterprise 9.9.14, Disk Savvy Enterprise 9.9.14, Sync Breeze Enterprise 9.9.16, and Disk Pulse Enterprise 9.9.16 where an attacker can craft a malicious GET request and exploit the web server component. Successful exploitation of the software will allow an attacker to gain complete access to the system with NT AUTHORITY / SYSTEM level privileges. The vulnerability lies due to improper handling and sanitization of the incoming request.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | diskpulse | — | — |
| flexense | disksavvy | — | — |
| flexense | dupscout | — | — |
| flexense | syncbreeze | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized/malformed HTTP GET request paths targeting the built-in web server component of Dup Scout Enterprise, Disk Savvy Enterprise, Sync Breeze Enterprise, or Disk Pulse Enterprise — indicative of stack-based buffer overflow exploitation. ↗
- →Monitor for crafted HTTP GET requests to the web interface of affected Disk Pulse Enterprise instances that trigger SEH-based buffer overflow conditions. ↗
- →Monitor for buffer overflow exploitation attempts via the web login interface of Dup Scout Enterprise, which can result in NT AUTHORITY\SYSTEM level code execution. ↗
- →Alert on processes spawned by the Dup Scout / Disk Pulse / Sync Breeze / Disk Savvy web server component running as NT AUTHORITY\SYSTEM, especially if spawning shells or unexpected child processes. ↗
- ·The GET-based exploit module (dupscts_bof.rb) supports x86 versions of Dup Scout Enterprise and x86 Windows operating systems only; detection logic should account for both x86 and x64 variants when covering the login-based overflow module. ↗
- ·The login buffer overflow module has been confirmed against both x86 and x64 Windows targets across multiple OS versions (XP, 7, 10), so detections should not be limited to x86 architecture. ↗
- ·CVE-2017-13696 affects multiple products from the same vendor family (Dup Scout, Disk Savvy, Sync Breeze, Disk Pulse Enterprise); ensure detection coverage spans all four products and their respective vulnerable versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Dup Scout Enterprise GET Buffer Overflow
metasploit
Dup Scout Enterprise GET Buffer Overflow
Dup Scout Enterprise GET Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in the web interface of Dup Scout Enterprise versions <= 10.0.18, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server which can be leveraged to execute arbitrary code in the context of NT AUTHORITY\SYSTEM. This module supports x86 versions of Dup Scout Enterprise and x86 Windows operating systems only and has been tested successfully on Windows 7 SP1 (x86) and Windows XP SP0 (x86).
Metasploit
Dup Scout Enterprise Login Buffer Overflow
metasploit
Dup Scout Enterprise Login Buffer Overflow
Dup Scout Enterprise Login Buffer Overflow
This module exploits a stack buffer overflow in Dup Scout Enterprise versions <= 10.0.18. The buffer overflow exists via the web interface during login. This gives NT AUTHORITY\SYSTEM access. This module has been tested successfully on Dup Scout Enterprise versions: 9.9.14 on Windows 7 SP1 (x64); 9.9.14 on Windows XP SP0 (x64); 10.0.18 on Windows 7 SP1 (x64); 10.0.18 on Windows XP SP0 (x86); and 10.0.18 on Windows 10 (1909) (x64).
Metasploit
Disk Pulse Enterprise GET Buffer Overflow
metasploit
Disk Pulse Enterprise GET Buffer Overflow
Disk Pulse Enterprise GET Buffer Overflow
This module exploits an SEH buffer overflow in Disk Pulse Enterprise 9.9.16. If a malicious user sends a crafted HTTP GET request it is possible to execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account.
No writeups or analysis indexed.
https://www.exploit-db.com/exploits/42557https://www.exploit-db.com/exploits/42558/https://www.exploit-db.com/exploits/42559/https://www.exploit-db.com/exploits/42560/https://www.rapid7.com/db/modules/exploit/windows/http/disk_pulse_enterprise_gethttps://www.exploit-db.com/exploits/42557https://www.exploit-db.com/exploits/42558/https://www.exploit-db.com/exploits/42559/https://www.exploit-db.com/exploits/42560/https://www.rapid7.com/db/modules/exploit/windows/http/disk_pulse_enterprise_get
2018-01-24
Published