cbcvebase.
CVE-2017-5358
published 2017-03-15

CVE-2017-5358: Stack-based buffer overflows in php_Easycom5_3_0.dll in EasyCom for PHP 4.0.0.29 allows remote attackers to execute arbitrary code via the server argument to…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.15%
95.6th percentile
Stack-based buffer overflows in php_Easycom5_3_0.dll in EasyCom for PHP 4.0.0.29 allows remote attackers to execute arbitrary code via the server argument to the (1) i5_connect, (2) i5_pconnect, or (3) i5_private_connect API function.

Affected

1 ranges
VendorProductVersion rangeFixed in
easycom-auraeasycom_for_php

Detection & IOCsextracted from sources · hover to see the quote

filenamephp_Easycom5_3_0.dll
filenameEasycomPHP_4.0029.iC8im2.exe
  • Detect SEH chain corruption as an indicator of exploitation; a corrupted SEH entry (e.g. 52525252 *** CORRUPT ENTRY ***) alongside overwritten SE handler (42424242) signals active buffer overflow exploitation.
  • The !exploitable classification of 'EXPLOITABLE - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141' confirms user-mode DEP bypass is achievable; monitor for DEP violations in php.exe processes loading php_Easycom5_3_0.dll.
  • ·The vulnerable functions are i5_connect, i5_pconnect, and i5_private_connect; the overflow is triggered via the 'server' argument to these API calls.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.