cbcvebase.
CVE-2018-5262
published 2018-01-12

CVE-2018-5262: A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.12%
98.4th percentile
A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a highly privileged account.

Affected

21 ranges
VendorProductVersion rangeFixed in
flexensediskboss<= 8.8.16
jenkinsazure_slave_plugin
jenkinsazure_vm_agents_plugin
jenkinscoverity_plugin
jenkinscppncss_plugin
jenkinscredentials_plugin
jenkinsenvinject_plugin
jenkinsenvironment_injector_plugin
jenkinsgerrit_trigger_plugin
jenkinsgit_plugin
jenkinsgoogle_play_android_publisher_plugin
jenkinsids_in_google_play_android_publisher_plugin
jenkinsimproper_access_control_in_gerrit_trigger_plugin
jenkinsjob_and_node_ownership_plugin
jenkinsmercurial_plugin
jenkinstestlink_plugin
jenkinsurl_in_git_plugin
jenkinsurl_in_mercurial_plugin
jenkinsurl_in_subversion_plugin
jenkinsyou_have_ever_used_environment_injector_plugin
pykmip_projectpykmip>= 0 < 0.8.00.8.0

Detection & IOCsextracted from sources · hover to see the quote

port8094
port8096
port8097
port8098
urlhttp://www.diskboss.com/setups/diskbossent_setup_v8.8.16.exe
bytes
\x75\x19\xba\xab\x03\x00\x00\x00\x00\x40\x00\x00
bytes
\xEB\x06\x90\x90
bytes
\xe9\x3f\xfb\xff\xff
  • Monitor for unauthenticated TCP connections to DiskBoss listener ports 8094, 8096, 8097, 8098 containing the 4-byte magic header \x75\x19\xba\xab followed by \x03\x00\x00\x00\x00\x40\x00\x00 — this is the exploit message framing.
  • Detect the JMP short + NOP sled preret sequence (\xEB\x06\x90\x90) within the payload body on DiskBoss ports as an indicator of ROP/stack-pivot exploitation.
  • Detect the backward JMP pivot stub (\xe9\x3f\xfb\xff\xff) within network payloads targeting DiskBoss ports; this is used to redirect execution into the shellcode NOP sled.
  • The exploit sends a payload of ~1000 bytes with a fixed offset of 128 bytes before the return address overwrite; anomalously large single-packet messages to DiskBoss ports (~1000+ bytes) from unauthenticated sources should be flagged.
  • The embedded shellcode is a Shikata Ga Nai encoded windows/shell_reverse_tcp payload; scan network traffic on DiskBoss ports for the Shikata Ga Nai decoder stub pattern.
  • ·The exploit was tested on Windows 7 SP1 x64 and Windows XP SP3 x86; ASLR/DEP status of the target affects reliability and gadget addresses.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.