cbcvebase.
CVE-2017-6427
published 2017-03-10

CVE-2017-6427: A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A crafted HTTP request with a malicious header will cause a crash. An example attack…

PriorityP350high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
7.23%
93.5th percentile
A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A crafted HTTP request with a malicious header will cause a crash. An example attack methodology may include a long message-body in a GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
evostreammedia_server

Detection & IOCsextracted from sources · hover to see the quote

port8080
versionEvoStream Media Server 1.7.1
bytes
Cont\x41\x41\x41\x41\x41\x41\x41\x41:
bytes
\xff\xad\xde + \x41*8 in HTTP header name
  • Detect oversized/malformed HTTP header names in requests to port 8080 targeting EvoStream Media Server — the exploit corrupts the header name field (e.g. 'Cont' + 8x 0x41) to control RCX register, triggering a buffer overflow crash.
  • Look for HTTP GET requests to /index.html on port 8080 with a Content-Length of 5900 and a message body of 4096+ repeated bytes ('B'*4096), which is the proof-of-concept payload pattern.
  • Flag HTTP requests containing non-printable bytes (e.g. 0xff, 0xad, 0xde) within HTTP header name fields, as the alternate exploit variant uses these to control RDX/CX registers (value 0x000000000000dead).
  • An attack methodology includes a long message-body in a GET request; monitor for anomalously large GET request bodies directed at EvoStream Media Server's built-in web server.
  • ·The exploit was tested specifically on Windows Server 2008 R2 Standard x64; behavior on other platforms or versions of EvoStream Media Server may differ.
  • ·The target port (8080) is hardcoded in the PoC but is the default for EvoStream's built-in web server; deployments on non-default ports would require adjusted detection rules.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.