cbcvebase.
CVE-2017-15220
published 2017-10-11

CVE-2017-15220: Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overflow via an empty POST request to a long URI beginning with a /../ substring. This allows…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.10%
93.4th percentile
Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overflow via an empty POST request to a long URI beginning with a /../ substring. This allows remote attackers to execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
flexensevx_search

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.vxsearch.com/setups/vxsearchent_setup_v10.1.12.exe
commandPOST /../<payload> HTTP/1.1
port4444
otherw00tw00t
other0x1011369e
bytes
\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
  • Exploit sends an HTTP POST request with a URI beginning with /../ followed by a ~5000-byte payload; detect oversized POST requests to paths starting with /../
  • Look for the egghunter tag string 'w00tw00t' in HTTP POST body traffic to port 80 targeting VX Search Enterprise
  • SEH overwrite uses the fixed address 0x1011369e; presence of this value in a POST body to port 80 is a strong exploit indicator
  • Egghunter shellcode bytes (\x66\x81\xCA\xFF\x0F\x42...) in HTTP POST body can be used as a byte-level signature for this exploit
  • Payload total length is 5000 bytes with SEH offset at 2492; alert on POST requests to /../ URIs with body/URI length >= 5000 bytes
  • Successful exploitation opens a bind shell on TCP port 4444 on the victim; monitor for unexpected listeners on port 4444 on Windows hosts running VX Search Enterprise
  • ·The exploit was tested only on Windows 7 x86 Pro SP1; the SEH gadget address 0x1011369e may differ on other OS versions or patch levels
  • ·The exploit targets specifically version 10.1.12 of VX Search Enterprise; other versions may have different offsets or may not be vulnerable

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.