cbcvebase.
CVE-2018-9059
published 2018-04-20

CVE-2018-9059: Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to…

PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.32%
99.5th percentile
Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to forum.ghp. NOTE: this may overlap CVE-2014-3791.

Affected

1 ranges
VendorProductVersion rangeFixed in
sharing-fileeasy_file_sharing_web_server

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit targets HTTP POST to /forum.ghp with an oversized UserID cookie value (4071+ bytes) to trigger stack-based buffer overflow; monitor for abnormally large UserID cookie values in requests to /forum.ghp
  • The overflow offset to nSEH is 4059 bytes; a UserID cookie value exceeding ~4059 bytes sent to /forum.ghp is a strong indicator of exploitation attempt
  • Exploit uses a ROP chain leveraging ImageLoad.dll and sqlite3.dll gadgets to bypass DEP via VirtualProtect(); presence of ROP gadget addresses from these modules in network traffic targeting EFS Web Server is suspicious
  • The Metasploit module exploits a SEH overflow in Easy File Sharing HTTP Server 7.2; detect SEH-based overflow patterns in HTTP traffic to this service
  • Bad characters for payload construction are known: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — these are filtered by the server and should not appear in a valid overflow payload
  • ·The exploit was tested against specific OS versions; ROP gadget addresses are tied to specific versions of ImageLoad.dll and sqlite3.dll shipped with EFS Web Server 7.2 and may not be reliable across all installations
  • ·CVE-2018-9059 may overlap with CVE-2014-3791; detections should account for both CVE identifiers when triaging alerts against Easy File Sharing Web Server 7.2
  • ·The original exploit (EDB-44485) was tested on Windows XP Professional SP3, while the DEP bypass variant (EDB-44522) targets Windows 7 x86 SP1; detection logic should cover both environments

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.