cbcvebase.
CVE-2019-16702
published 2019-09-23

CVE-2019-16702: Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.75%
95.3th percentile
Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
integard_pro_projectintegard_pro

Detection & IOCsextracted from sources · hover to see the quote

url/LoginAdmin
port18881
commandPOST /LoginAdmin HTTP/1.1
commandPassword=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=<OVERFLOW>&LoginButtonName=Login
  • Detect HTTP POST requests to /LoginAdmin on port 18881 with an abnormally large NoJs parameter (>512 bytes) in the body, indicative of buffer overflow exploitation.
  • Alert on POST /LoginAdmin requests where the Content body contains the pattern 'NoJs=' followed by a long string of repeated characters (e.g., 'A'*512 or NOP sleds '\x90'*50).
  • Monitor for HTTP POST requests to Integard's admin login endpoint containing the Redirect parameter value '%23%23%23REDIRECT%23%23%23', which is a fixed marker in the exploit payload.
  • Flag network connections to TCP port 18881 (Integard default admin port) from external/untrusted hosts, especially those sending large POST bodies.
  • On Windows 7/10 targets, the exploit uses a SEH overwrite with a return address of 0x004042B0 in integard.exe (ASLR disabled). Monitor for SEH chain corruption at this address in crash dumps or AV/EDR telemetry.
  • ·The exploit hardcodes a target IP (10.0.0.130) and attacker IP (10.0.0.128/LHOST) — these are lab-specific values and will differ in real-world attacks. Do not rely on these IPs as IOCs.
  • ·The Windows XP exploit path uses a JMP ESP gadget in iertutil.dll (0x3E087557), which is version/patch-level dependent and may not be present on all XP systems.
  • ·The Windows 7/10 exploit path relies on integard.exe having ASLR disabled; if ASLR is enabled on the module, the hardcoded SEH address 0x004042B0 will not be reliable.
  • ·The vulnerability affects both Integard Pro 2.2.0.9026 and Integard Home 2.0.0.9021; detection rules should cover both product variants.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.