cbcvebase.
CVE-2018-6892
published 2018-02-11

CVE-2018-6892: An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.60%
99.8th percentile
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
cloudmesync<= 1.10.9
cloudmesync
libsndfile_projectlibsndfile>= 0 < 1.0.25-10ubuntu0.16.04.31.0.25-10ubuntu0.16.04.3
libsndfile_projectlibsndfile>= 0 < 1.0.25-7ubuntu2.2+esm11.0.25-7ubuntu2.2+esm1

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for TCP connections to port 8888 (CloudMe Sync listener); unauthenticated inbound connections from unexpected hosts should be alerted on.
  • Detect oversized payloads (>1052–2232 bytes) sent to TCP/8888 as a network-level indicator of buffer overflow exploitation attempts against CloudMe Sync.
  • Detect the egghunter tag 'boomboom' (\x62\x6f\x6f\x6d\x62\x6f\x6f\x6d) or 'w00tw00t' in network traffic to TCP/8888.
  • Detect the egghunter tag 'w00tw00t' in network traffic to TCP/8888.
  • Look for the CloudMe Sync process (CloudMe.exe) listening on 0.0.0.0:8888, which exposes it to unauthenticated remote attackers on all interfaces.
  • CloudMe DLLs (Qt5Core.dll, Qt5Gui.dll, libstdc++-6.dll, icuin49.dll, icuuc49.dll, Qt5Network.dll, Qt5Sql.dll, libgcc_s_dw2-1.dll, LIBEAY32.dll, libwinpthread-1.dll, libGLESv2.dll) loaded without ASLR/SafeSEH are abused for ROP chains; verify these modules are not loaded with ASLR disabled.
  • ·The exploit targets CloudMe Sync versions 1.8.x, 1.9.x, 1.10.9, and 1.11.2; versions before 1.11.0 are confirmed vulnerable per the NVD advisory. ROP gadget addresses are version- and DLL-specific and will differ across installations.
  • ·The DEP-bypass ROP chain for v1.8.x/v1.9.x uses hardcoded gadget addresses from icuin49.dll, Qt5Core.dll, Qt5Gui.dll, libGLESv2.dll, LIBEAY32.dll, libwinpthread-1.dll, and icuuc49.dll; these addresses are only valid for those specific DLL versions.
  • ·The v1.10.9 exploit relies on ASLR and SafeSEH being disabled for CloudMe modules; the SEH overwrite at offset 2232 using 0x61e7b7f6 (Qt5Gui.dll) is only reliable when ASLR is off.
  • ·The WoW64 DEP-bypass exploit (46250) targets CloudMe 1.11.2 on Windows 7 SP1 x64 and uses a different EIP offset (1052) and gadget set compared to the x86 variants.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.