cbcvebase.
CVE-2017-17849
published 2017-12-27

CVE-2017-17849: A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.02%
97.0th percentile
A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response.

Affected

1 ranges
VendorProductVersion rangeFixed in
getgosoftgetgo_download_manager<= 5.3.0.2712

Detection & IOCsextracted from sources · hover to see the quote

command"A" * 4104 + "BBBB" + "\xcc\xcc\xcc\xcc" + "D" * 11000 + "\r\n"
command"A" * 4105 + "\x69\x9E\x45\x76" + "C" * (6000 - len(evilbuffer + hardCodedEIP))
  • The overflow is triggered via a long HTTP response header/status line. Monitor for HTTP responses with extremely long status lines (>4000 bytes) being received by GetGo Download Manager processes.
  • SEH chain corruption is the exploitation mechanism. The SEH overwrite occurs at offset 4104 bytes (Windows 7 x86). Detect abnormal SEH chain entries in the GetGo Download Manager process.
  • The attack requires the victim to initiate a download from an attacker-controlled server. Suspicious outbound connections from GetGo Download Manager to untrusted IPs on port 80 followed by a crash should be investigated.
  • ·The hardcoded EIP value (\x69\x9E\x45\x76) in the PoC is explicitly noted as demo-only and environment-specific; real exploits would use a different return address depending on the target OS and loaded modules.
  • ·The PoC was tested on Windows 7 x86 and Windows 10 x64; SEH offsets and exploit reliability may differ across OS versions and architectures.
  • ·CVE-2017-17849 affects GetGo Download Manager 5.3.0.2712 and earlier per the NVD advisory, but a separate PoC targets version 6.2.1.3200, suggesting the vulnerability may persist in later versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.