CVE-2019-12518
published 2019-12-02CVE-2019-12518: Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.74%
98.8th percentile
Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anviz | crosschex | — | — |
| anviz | crosschex | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x07\x18\x42\x00
- →Listen for anomalous UDP broadcast responses on port 5050 — the exploit waits for a CrossChex device-discovery broadcast and replies with a malicious oversized UDP packet to trigger the stack buffer overflow. ↗
- →Detect oversized UDP responses to CrossChex device-discovery broadcasts; the exploit payload space is up to 8947 bytes, far exceeding a legitimate discovery reply. ↗
- →Flag UDP packets destined to a CrossChex client that contain the JMP ESP gadget address bytes 0x07 0x18 0x42 0x00 at offset 261 from the start of the payload. ↗
- →The attacker host binds to 0.0.0.0:5050/UDP to intercept CrossChex broadcast traffic; monitor for unexpected processes binding to UDP port 5050 on non-CrossChex hosts. ↗
- ·The exploit targets only the x86 (32-bit) build of CrossChex Standard; the JMP ESP gadget address (0x00421807) is specific to that binary and will not apply to other versions or architectures. ↗
- ·Affected versions are 4.3.8.0 and 4.3.12 only; detections keyed on the gadget address or payload offset should be validated against the specific installed version. ↗
- ·The module uses raw (unencode) x86 shellcode with NOP generation disabled; signature-based detection must account for the absence of a standard NOP sled. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Anviz CrossChex - Buffer Overflow (Metasploit)
exploitdb·2020-02-17
CVE-2019-12518 Anviz CrossChex - Buffer Overflow (Metasploit)
Anviz CrossChex - Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Anviz CrossChex Buffer Overflow',
'Description' => %q{
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
triggering a stack buffer overflow.
},
'Author' =>
[
'Luis Catarino ', # original discovery/exploit
'Pedro Rodrigues ', # original discovery/exploit
'agalway-r7', # Module creation
'adfoster-r7' # Module creation
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12518'],
['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
['EDB', '47734']
],
'Payload' =>
{
'Space' => 8947,
'DisableNops' => tr
Metasploit
Anviz CrossChex Buffer Overflow
metasploit
Anviz CrossChex Buffer Overflow
Anviz CrossChex Buffer Overflow
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, triggering a stack buffer overflow.
No writeups or analysis indexed.
2019-12-02
Published