CVE-2017-5177
published 2017-05-19CVE-2017-5177: A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified…
PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
17.71%
96.8th percentile
A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified, where an attacker with a specially crafted packet could overflow the fixed length buffer. This could allow remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vipa_controls | winplc7_firmware | <= 5.0.45.5921 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x13\x88\x00\x00\x00
- →Monitor for TCP connections to port 7777 targeting WinPLC7; the exploit module listens on this port and sends a crafted packet to trigger the overflow. ↗
- →Detect oversized packets (~5000 bytes) sent to/from WinPLC7 (ws7v5.exe) beginning with the 5-byte header \x13\x88\x00\x00\x00; legitimate traffic should not approach this size. ↗
- →The return address overwrite occurs at offset 848 in the packet buffer (4-byte little-endian RET value), followed immediately by shellcode at offset 852; inspect packet payloads for this structure. ↗
- →The exploit targets ws7v5.exe on Windows 7 EN using a JMP ESP gadget at 0x00422354; alert on execution flow reaching this address within the process. ↗
- →EXITFUNC is set to 'process', meaning successful exploitation terminates the WinPLC7 process; unexpected crashes of ws7v5.exe should be investigated as potential exploitation attempts. ↗
- ·The Metasploit module's RET address (JMP ESP gadget at 0x00422354) is specific to the Windows 7 EN build of ws7v5.exe; the exploit will not function as-is against other OS versions or locales without a different gadget address. ↗
- ·Payload space is constrained to 500 bytes with a stack adjustment of -3500; detection rules should account for shellcode embedded within the 500-byte window starting at offset 852. ↗
- ·At time of ICS-CERT advisory publication, no known public exploits specifically targeted this vulnerability; the Exploit-DB module post-dates the advisory. ↗
- ·All WinPLC7 versions 5.0.45.5921 and prior are affected; ensure version identification is part of asset inventory before scoping detection. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9hfw-x698-hh7x: A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5
ghsa_unreviewed·2022-05-17
CVE-2017-5177 [HIGH] CWE-119 GHSA-9hfw-x698-hh7x: A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5
A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified, where an attacker with a specially crafted packet could overflow the fixed length buffer. This could allow remote code execution.
CISA ICS
VIPA Controls WinPLC7
cisa_ics·2017-02-23
VIPA Controls WinPLC7
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
VIPA Controls WinPLC7
Last RevisedFebruary 23, 2017
Alert CodeICSA-17-054-01
## CVSS v3 7.5
ATTENTION: Remotely exploitable/low skill level to exploit
Vendor: VIPA Controls
Equipment: WinPLC7
Vulnerability: Stack Buffer Overflow
## AFFECTED PRODUCTS
The following versions of WinPLC7, a PLC programming software, are affected:
- WinPLC Versions 5.0.45.5921 and prior.
## IMPACT
Successful exploitation of this vulnerability could cause the software that the attacker is accessing to crash; a buffer overflow condition may allow remote code execution.
## MITIGATION
VIPA Contr
No detection rules found.
No writeups or analysis indexed.
2017-05-19
Published