cbcvebase.
CVE-2018-19861
published 2019-01-03

CVE-2018-19861: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. NOTE: this product is…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.55%
95.7th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. NOTE: this product is discontinued.

Affected

3 ranges
VendorProductVersion rangeFixed in
minishare_projectminishare< 1.4.21.4.2
minishare_projectminishare<= 1.4.1
minishare_projectminishare

Detection & IOCsextracted from sources · hover to see the quote

commandHEAD / HTTP/1.1
commandPOST / HTTP/1.1
bytes
Bad chars: 0x00, 0x0d
  • Detect stack-based buffer overflow exploitation of MiniShare 1.4.1 via oversized HEAD or POST HTTP request; EIP overwrite observed at offset consistent with 4-byte method length prefix
  • Shellcode is placed within 210 bytes after the overflow; monitor for abnormally large HEAD/POST request URIs sent to MiniShare (default HTTP port) containing high-entropy payloads
  • EIP value 0x68433568 observed in crash analysis; pattern-match for Metasploit/cyclic patterns (e.g. 'Ch', 'Ci', 'Cj', 'Ck' sequences) in HTTP request URIs targeting MiniShare
  • Return address gadgets from kernel32.dll (XP SP3 English) used as JMP ESP: 0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B; presence of these addresses in network traffic targeting MiniShare is indicative of exploitation
  • CVE-2018-19861 affects MiniShare versions before 1.4.2; also related to CVE-2018-19862, CVE-2019-17601, and CVE-2020-13768 (HTTP PUT variant); flag any MiniShare instance running version 1.4.1 or earlier
  • ·JMP ESP gadget addresses (0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B) are specific to kernel32.dll on Windows XP SP3 English; these addresses will differ on other OS versions or patch levels and should not be used as universal detection indicators
  • ·MiniShare is a discontinued product; detections should focus on legacy/unpatched environments still running MiniShare 1.4.1 or earlier

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.