CVE-2018-17408
published 2018-10-03CVE-2018-17408: Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 through build 10b allow remote attackers to execute arbitrary code via a crafted CSV file…
PriorityP351high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
18.97%
96.9th percentile
Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 through build 10b allow remote attackers to execute arbitrary code via a crafted CSV file that is accessed through the Import CSV File menu.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zahiraccounting | zahir_enterprise_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x08\x90\x90
- →Detect crafted CSV files with an overly long string (>3041 bytes) followed by CR/LF (\x0a\x0d or \n\r) characters, characteristic of this SEH-based stack overflow exploit. ↗
- →Flag CSV files containing the nSEH jump stub byte sequence EB 08 90 90 followed by the SEH handler address 61 66 01 52 (little-endian 0x52016661) from vclie100.bpl. ↗
- →Bad characters for payload encoding are \x00\x0a\x0d\x22\x2c (null, LF, CR, double-quote, comma); presence of shellcode avoiding these bytes inside a CSV file is a strong indicator of exploitation. ↗
- →Monitor Zahir Enterprise Plus 6 process for SEH chain overwrites triggered during CSV import ('Import from other File' / 'Import CSV File' menu action), particularly when vclie100.bpl is used as the SEH gadget module. ↗
- →The Metasploit module generates a malicious file named msf.csv; alert on CSV files of ~8000+ bytes being opened by the Zahir process that contain embedded shellcode patterns. ↗
- ·The SEH gadget address 0x52016661 is specific to vclie100.bpl shipped with Zahir Personal 6 Demo/Enterprise build 10b on Windows x86; this address will differ on other builds or OS configurations, limiting the reliability of byte-level detection based on this value alone. ↗
- ·The exploit offset of 3041 bytes before CR/LF crash chars was validated on Windows 7 x86/64bit; behavior may differ on other Windows versions. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)
exploitdb·2018-10-08
CVE-2018-17408 Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)
Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Zahir Enterprise Plus 6 Stack Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.
The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters
via Import from other File. This results in overwriting a structured exception handler record.
},
'License' => MSF_LICENSE,
'Author' =>
[
'f3ci', # initial discovery
'modpr0be' # poc and Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-17408' ],
[ 'EDB', '45505' ]
],
'Platform' => 'win',
Exploit-DB
Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
exploitdb·2018-10-01
CVE-2018-17408 Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
---
# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
# Google Dork: -
# Date: 2018-09-28
# Exploit Author: modpr0be
# Vendor Homepage: http://www.zahiraccounting.com/
# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
# Tested on: Windows 7 x86/64bit
# CVE : N/A
# Category: local & privilege escalation
#
# Description
# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file.
# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which
# caused the Zahir main program to crash.
#
#
Metasploit
Zahir Enterprise Plus 6 Stack Buffer Overflow
metasploit
Zahir Enterprise Plus 6 Stack Buffer Overflow
Zahir Enterprise Plus 6 Stack Buffer Overflow
This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below. The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters via Import from other File. This results in overwriting a structured exception handler record.
No writeups or analysis indexed.
2018-10-03
Published