cbcvebase.
CVE-2022-2070
published 2022-09-23

CVE-2022-2070: In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.30%
89.9th percentile
In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default.

Affected

2 ranges
VendorProductVersion rangeFixed in
grandstreamgds3710_firmware
grandstreamgrandstream_gsd3710

Detection & IOCsextracted from sources · hover to see the quote

port8000
port8001
commandLOG/1.0 END CMD:AUTH_USERNAME @
processdbmng
processlogsrv
bytes
\x01\x30\x8F\xE2\x13\xFF\x2F\xE1\x02\x20\x01\x21\x92\x1A\xC8\x27\x51\x37\x01\xDF\x04\x1C
  • Detect stack buffer overflow exploitation attempts against Grandstream GSD3710 by monitoring for oversized payloads (>144 bytes of padding) sent to TCP ports 8000 or 8001, prefixed with the auth command string 'LOG/1.0 END CMD:AUTH_USERNAME @'.
  • Flag connections to TCP ports 8000/8001 on Grandstream GSD3710 devices that contain the byte sequence 0x43434343 (junk ROP filler) following the AUTH_USERNAME command prefix.
  • Detect ARM Linux reverse shell shellcode on the wire: look for the thumb-mode switch sequence \x01\x30\x8F\xE2\x13\xFF\x2F\xE1 in TCP payloads directed at the device.
  • Monitor for outbound TCP connections from Grandstream GSD3710 devices (reverse shell callback) immediately after inbound traffic on ports 8000/8001, indicating successful exploitation and shell execution via execve('/bin/sh').
  • The exploit uses mprotect ROP chain with libc_base 0x76ec1000 on the target; memory forensics or crash dumps showing ROP gadget addresses relative to this base indicate exploitation of CVE-2022-2070.
  • ·The default vulnerable ports (8000/8001) may be reconfigured by administrators; verify actual listening ports for dbmng and logsrv on the target device before relying on port-based detection.
  • ·The exploit script example uses port 8081 as the target port argument, which differs from the documented default ports 8000/8001; detection rules should cover all three ports.
  • ·The ROP gadget offsets are hardcoded against libc_base 0x76ec1000 for firmware 1.0.11.13; different firmware versions will have different libc base addresses, making these offsets version-specific.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.