cbcvebase.
CVE-2018-19862
published 2019-01-03

CVE-2018-19862: Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. NOTE: this product is…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.55%
95.7th percentile
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. NOTE: this product is discontinued.

Affected

3 ranges
VendorProductVersion rangeFixed in
minishare_projectminishare< 1.4.21.4.2
minishare_projectminishare<= 1.4.1
minishare_projectminishare

Detection & IOCsextracted from sources · hover to see the quote

versionMiniShare 1.4.1
commandPOST <long payload> HTTP/1.1
  • Detect oversized HTTP POST or HEAD requests to MiniShare (port 80 by default); a buffer overflow is triggered via a long request line — only 210 bytes are available before shellcode placement.
  • Both HEAD and POST HTTP methods are exploitable in the same manner as the known GET overflow (CVE-2004-2271); monitor for abnormally long HEAD or POST request lines to MiniShare.
  • EIP overwrite value 0x68433568 observed in crash analysis; use as a signature for exploit attempts against MiniShare in memory forensics or crash dumps.
  • Return addresses from kernel32.dll (XP SP3 English) used as JMP ESP gadgets: 0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B — presence of these addresses in EIP during a MiniShare crash indicates active exploitation.
  • ·The JMP ESP gadget addresses (0x7C809F83, 0x7C8369E0, 0x7C83C2C5, 0x7C87641B) are specific to kernel32.dll on Windows XP SP3 English; they will differ on other OS versions or locales.
  • ·MiniShare is a discontinued product; any detected instance running version 1.4.1 or earlier should be treated as an unpatched, high-risk service.
  • ·Shellcode space is constrained to approximately 210 bytes, meaning attackers may use staged payloads or encoders that avoid null bytes (0x00) and carriage returns (0x0d).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.