CVE-2019-16702
published 2019-09-23CVE-2019-16702: Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.75%
95.3th percentile
Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| integard_pro_project | integard_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /LoginAdmin on port 18881 with an abnormally large NoJs parameter (>512 bytes) in the body, indicative of buffer overflow exploitation. ↗
- →Alert on POST /LoginAdmin requests where the Content body contains the pattern 'NoJs=' followed by a long string of repeated characters (e.g., 'A'*512 or NOP sleds '\x90'*50). ↗
- →Monitor for HTTP POST requests to Integard's admin login endpoint containing the Redirect parameter value '%23%23%23REDIRECT%23%23%23', which is a fixed marker in the exploit payload. ↗
- →Flag network connections to TCP port 18881 (Integard default admin port) from external/untrusted hosts, especially those sending large POST bodies. ↗
- →On Windows 7/10 targets, the exploit uses a SEH overwrite with a return address of 0x004042B0 in integard.exe (ASLR disabled). Monitor for SEH chain corruption at this address in crash dumps or AV/EDR telemetry. ↗
- ·The exploit hardcodes a target IP (10.0.0.130) and attacker IP (10.0.0.128/LHOST) — these are lab-specific values and will differ in real-world attacks. Do not rely on these IPs as IOCs. ↗
- ·The Windows XP exploit path uses a JMP ESP gadget in iertutil.dll (0x3E087557), which is version/patch-level dependent and may not be present on all XP systems. ↗
- ·The Windows 7/10 exploit path relies on integard.exe having ASLR disabled; if ASLR is enabled on the module, the hardcoded SEH address 0x004042B0 will not be reliable. ↗
- ·The vulnerability affects both Integard Pro 2.2.0.9026 and Integard Home 2.0.0.9021; detection rules should cover both product variants. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155578/Integard-Pro-NoJs-2.2.0.9026-Remote-Buffer-Overflow.htmlhttps://github.com/purpl3-f0x/exploit-dev/blob/master/nojs_integard.pyhttp://packetstormsecurity.com/files/155578/Integard-Pro-NoJs-2.2.0.9026-Remote-Buffer-Overflow.htmlhttps://github.com/purpl3-f0x/exploit-dev/blob/master/nojs_integard.py
2019-09-23
Published