CVE-2018-19862
published 2019-01-03CVE-2018-19862: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. NOTE: this product is…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.55%
95.7th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. NOTE: this product is discontinued.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| minishare_project | minishare | < 1.4.2 | 1.4.2 |
| minishare_project | minishare | <= 1.4.1 | — |
| minishare_project | minishare | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized HTTP POST or HEAD requests to MiniShare (port 80 by default); a buffer overflow is triggered via a long request line — only 210 bytes are available before shellcode placement. ↗
- →Both HEAD and POST HTTP methods are exploitable in the same manner as the known GET overflow (CVE-2004-2271); monitor for abnormally long HEAD or POST request lines to MiniShare. ↗
- →EIP overwrite value 0x68433568 observed in crash analysis; use as a signature for exploit attempts against MiniShare in memory forensics or crash dumps. ↗
- →Return addresses from kernel32.dll (XP SP3 English) used as JMP ESP gadgets: 0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B — presence of these addresses in EIP during a MiniShare crash indicates active exploitation. ↗
- ·The JMP ESP gadget addresses (0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B) are specific to kernel32.dll on Windows XP SP3 English; they will differ on other OS versions or locales. ↗
- ·MiniShare is a discontinued product; any detected instance running version 1.4.1 or earlier should be treated as an unpatched, high-risk service. ↗
- ·Shellcode space is constrained to approximately 210 bytes, meaning attackers may use staged payloads or encoders that avoid null bytes (0x00) and carriage returns (0x0d). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g7jw-cx45-fr8v: In MiniShare before 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-13768 [CRITICAL] GHSA-g7jw-cx45-fr8v: In MiniShare before 1
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
GHSA
GHSA-83gm-8rv2-532v: In MiniShare 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2019-17601 [CRITICAL] CWE-787 GHSA-83gm-8rv2-532v: In MiniShare 1
In MiniShare 1.4.1, there is a stack-based buffer overflow via an HTTP CONNECT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19862 and CVE-2018-19861. NOTE: this product is discontinued.
GHSA
GHSA-ccwg-gfwj-354p: Buffer overflow in MiniShare 1
ghsa_unreviewed·2022-05-14
CVE-2018-19862 [CRITICAL] CWE-119 GHSA-ccwg-gfwj-354p: Buffer overflow in MiniShare 1
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. NOTE: this product is discontinued.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/150689/MiniShare-1.4.1-HEAD-POST-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2018/Dec/19https://www.exploit-db.com/exploits/45999/http://packetstormsecurity.com/files/150689/MiniShare-1.4.1-HEAD-POST-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2018/Dec/19https://www.exploit-db.com/exploits/45999/
2019-01-03
Published