VIR Vulnerability Intelligence Relay

CVE-2011-3492

critical
Published 2011-09-16 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-17841 dos windows text ยท 2 KB
Luigi Auriemma ยท 2011-09-14

DaqFactory 5.85 build 1853 - Stack Overflow

text exploit Source: Exploit-DB 
#######################################################################

                             Luigi Auriemma

Application:  DAQFactory
              http://www.azeotech.com/daqfactory.php
Versions:     <= 5.85 build 1853
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DAQFactory is an HMI/SCADA software.


#######################################################################

======
2) Bug
======


When DAQFactory is running it listens on the UDP port 20034 for NETB
packets of max 0x400 bytes.

The software is affected by a stack overflow in the code that logs the
informations of the incoming packet allowing an attacker to execute
malicious code:

  005C3FB0  /$ 6A FF             PUSH -1
  005C3FB2  |. 68 E6777D00       PUSH DAQFacto.007D77E6
  005C3FB7  |. 64:A1 00000000    MOV EAX,DWORD PTR FS:[0]
  005C3FBD  |. 50                PUSH EAX
  005C3FBE  |. 64:8925 00000000  MOV DWORD PTR FS:[0],ESP
  005C3FC5  |. 81EC 2C020000     SUB ESP,22C
  ...skip...
  005C41B2  |. 8D8C24 7C010000   LEA ECX,DWORD PTR SS:[ESP+17C]
  005C41B9  |. 68 B02C9000       PUSH DAQFacto.00902CB0     ; "MAC:[%02x-%02X-%02X-%02X-%02X-%02X] IP:%d.%d.%d.%d DHCP:%d.%d.%d.%d %s%s"
  005C41BE  |. 51                PUSH ECX
  005C41BF  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]
  ..and..
  005C423A  |. 8D8C24 6C010000   LEA ECX,DWORD PTR SS:[ESP+16C]
  005C4241  |. 68 682C9000       PUSH DAQFacto.00902C68     ; "MAC: [%02x-%02X-%02X-%02X-%02X-%02X]    IP:%d.%d.%d.%d %s%s"
  005C4246  |. 51                PUSH ECX
  005C4247  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/daqfactory_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17841.dat

  nc SERVER 20034 -u < daqfactory_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
EDB-17855 remote windows verified
Metasploit ยท 2011-09-18

DaqFactory - HMI NETB Request Overflow (Metasploit)

Source code queued for fetch โ€” refresh in a moment.

Metasploit modules

exploit_windows/scada/daq_factory_bof rank 400
DaqFactory HMI NETB Request Overflow
Source fetch failed: fetch_error โ€” view the original via the link above.

Application impact
VendorProductVersionsFixed
azeotechdaqfactory{"endIncluding":"5.85"}
azeotechdaqfactory3.0
azeotechdaqfactory3.03
azeotechdaqfactory3.5
azeotechdaqfactory3.05
azeotechdaqfactory3.09
azeotechdaqfactory3.10
azeotechdaqfactory3.11
azeotechdaqfactory3.51
azeotechdaqfactory3.52
azeotechdaqfactory3.53
azeotechdaqfactory3.55
azeotechdaqfactory4.00
azeotechdaqfactory4.10
azeotechdaqfactory4.11
azeotechdaqfactory5.0
azeotechdaqfactory5.01
azeotechdaqfactory5.02
azeotechdaqfactory5.03
azeotechdaqfactory5.04
azeotechdaqfactory5.05
azeotechdaqfactory5.10
azeotechdaqfactory5.11
azeotechdaqfactory5.12
azeotechdaqfactory5.15
azeotechdaqfactory5.30
azeotechdaqfactory5.31
azeotechdaqfactory5.32
azeotechdaqfactory5.33
azeotechdaqfactory5.34
azeotechdaqfactory5.35
azeotechdaqfactory5.36
azeotechdaqfactory5.37
azeotechdaqfactory5.38
azeotechdaqfactory5.39
azeotechdaqfactory5.40
azeotechdaqfactory5.70
azeotechdaqfactory5.71
azeotechdaqfactory5.72
azeotechdaqfactory5.73
azeotechdaqfactory5.74
azeotechdaqfactory5.75
azeotechdaqfactory5.76
azeotechdaqfactory5.77
azeotechdaqfactory5.78
azeotechdaqfactory5.79
azeotechdaqfactory5.80
azeotechdaqfactory5.82
azeotechdaqfactory5.83
azeotechdaqfactory5.84

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.