CVE-2017-15220
published 2017-10-11CVE-2017-15220: Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overflow via an empty POST request to a long URI beginning with a /../ substring. This allows…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.10%
93.4th percentile
Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overflow via an empty POST request to a long URI beginning with a /../ substring. This allows remote attackers to execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | vx_search | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
- →Exploit sends an HTTP POST request with a URI beginning with /../ followed by a ~5000-byte payload; detect oversized POST requests to paths starting with /../ ↗
- →Look for the egghunter tag string 'w00tw00t' in HTTP POST body traffic to port 80 targeting VX Search Enterprise ↗
- →SEH overwrite uses the fixed address 0x1011369e; presence of this value in a POST body to port 80 is a strong exploit indicator ↗
- →Egghunter shellcode bytes (\x66\x81\xCA\xFF\x0F\x42...) in HTTP POST body can be used as a byte-level signature for this exploit ↗
- →Payload total length is 5000 bytes with SEH offset at 2492; alert on POST requests to /../ URIs with body/URI length >= 5000 bytes ↗
- →Successful exploitation opens a bind shell on TCP port 4444 on the victim; monitor for unexpected listeners on port 4444 on Windows hosts running VX Search Enterprise ↗
- ·The exploit was tested only on Windows 7 x86 Pro SP1; the SEH gadget address 0x1011369e may differ on other OS versions or patch levels ↗
- ·The exploit targets specifically version 10.1.12 of VX Search Enterprise; other versions may have different offsets or may not be vulnerable ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-10-11
Published