cbcvebase.
CVE-2018-17408
published 2018-10-03

CVE-2018-17408: Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 through build 10b allow remote attackers to execute arbitrary code via a crafted CSV file…

PriorityP351high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
18.97%
96.9th percentile
Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 through build 10b allow remote attackers to execute arbitrary code via a crafted CSV file that is accessed through the Import CSV File menu.

Affected

1 ranges
VendorProductVersion rangeFixed in
zahiraccountingzahir_enterprise_plus

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
other0x52016661
pathC:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl
bytes
\xeb\x08\x90\x90
  • Detect crafted CSV files with an overly long string (>3041 bytes) followed by CR/LF (\x0a\x0d or \n\r) characters, characteristic of this SEH-based stack overflow exploit.
  • Flag CSV files containing the nSEH jump stub byte sequence EB 08 90 90 followed by the SEH handler address 61 66 01 52 (little-endian 0x52016661) from vclie100.bpl.
  • Bad characters for payload encoding are \x00\x0a\x0d\x22\x2c (null, LF, CR, double-quote, comma); presence of shellcode avoiding these bytes inside a CSV file is a strong indicator of exploitation.
  • Monitor Zahir Enterprise Plus 6 process for SEH chain overwrites triggered during CSV import ('Import from other File' / 'Import CSV File' menu action), particularly when vclie100.bpl is used as the SEH gadget module.
  • The Metasploit module generates a malicious file named msf.csv; alert on CSV files of ~8000+ bytes being opened by the Zahir process that contain embedded shellcode patterns.
  • ·The SEH gadget address 0x52016661 is specific to vclie100.bpl shipped with Zahir Personal 6 Demo/Enterprise build 10b on Windows x86; this address will differ on other builds or OS configurations, limiting the reliability of byte-level detection based on this value alone.
  • ·The exploit offset of 3041 bytes before CR/LF crash chars was validated on Windows 7 x86/64bit; behavior may differ on other Windows versions.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.