CVE-2018-19861
published 2019-01-03CVE-2018-19861: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. NOTE: this product is…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.55%
95.7th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. NOTE: this product is discontinued.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| minishare_project | minishare | < 1.4.2 | 1.4.2 |
| minishare_project | minishare | <= 1.4.1 | — |
| minishare_project | minishare | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Bad chars: 0x00, 0x0d
- →Detect stack-based buffer overflow exploitation of MiniShare 1.4.1 via oversized HEAD or POST HTTP request; EIP overwrite observed at offset consistent with 4-byte method length prefix ↗
- →Shellcode is placed within 210 bytes after the overflow; monitor for abnormally large HEAD/POST request URIs sent to MiniShare (default HTTP port) containing high-entropy payloads ↗
- →EIP value 0x68433568 observed in crash analysis; pattern-match for Metasploit/cyclic patterns (e.g. 'Ch', 'Ci', 'Cj', 'Ck' sequences) in HTTP request URIs targeting MiniShare ↗
- →Return address gadgets from kernel32.dll (XP SP3 English) used as JMP ESP: 0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B; presence of these addresses in network traffic targeting MiniShare is indicative of exploitation ↗
- →CVE-2018-19861 affects MiniShare versions before 1.4.2; also related to CVE-2018-19862, CVE-2019-17601, and CVE-2020-13768 (HTTP PUT variant); flag any MiniShare instance running version 1.4.1 or earlier ↗
- ·JMP ESP gadget addresses (0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B) are specific to kernel32.dll on Windows XP SP3 English; these addresses will differ on other OS versions or patch levels and should not be used as universal detection indicators ↗
- ·MiniShare is a discontinued product; detections should focus on legacy/unpatched environments still running MiniShare 1.4.1 or earlier ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g7jw-cx45-fr8v: In MiniShare before 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-13768 [CRITICAL] GHSA-g7jw-cx45-fr8v: In MiniShare before 1
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
GHSA
GHSA-83gm-8rv2-532v: In MiniShare 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-17601 [CRITICAL] CWE-787 GHSA-83gm-8rv2-532v: In MiniShare 1
In MiniShare 1.4.1, there is a stack-based buffer overflow via an HTTP CONNECT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19862 and CVE-2018-19861. NOTE: this product is discontinued.
GHSA
GHSA-qwx3-29hm-fmh2: Buffer overflow in MiniShare 1
ghsa_unreviewed·2022-05-14
CVE-2018-19861 [CRITICAL] CWE-119 GHSA-qwx3-29hm-fmh2: Buffer overflow in MiniShare 1
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. NOTE: this product is discontinued.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/150689/MiniShare-1.4.1-HEAD-POST-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2018/Dec/19https://www.exploit-db.com/exploits/45999/http://packetstormsecurity.com/files/150689/MiniShare-1.4.1-HEAD-POST-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2018/Dec/19https://www.exploit-db.com/exploits/45999/
2019-01-03
Published