cbcvebase.
CVE-2009-2011
published 2009-06-16

CVE-2009-2011: Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.18%
98.5th percentile
Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probably other versions before 3.0.29.1, when used as a plug-in for Firefox, does not restrict access to the shell.execute JavaScript API method, which allows remote attackers to execute arbitrary commands via a .dxstudio file that invokes this method.

Affected

3 ranges
VendorProductVersion rangeFixed in
dxstudiodx_studio_player<= 3.0.29.0
dxstudiodx_studio_player
dxstudiodx_studio_player

Detection & IOCsextracted from sources · hover to see the quote

filename.dxstudio
filenameheader.xml
commandshell.execute()
  • Monitor HTTP responses serving files with Content-Type 'application/octet-stream' containing a ZIP archive with an embedded 'header.xml' — this is the crafted .dxstudio payload delivery mechanism used by the Metasploit module.
  • Detect browser plugin (Firefox DLL or IE ActiveX) invoking shell.execute() from JavaScript within a .dxstudio document context — this is the core exploitation primitive.
  • Alert on .dxstudio files being served or downloaded from the web, especially those that are ZIP archives containing a header.xml with embedded batch commands (CMDS/BATNAME substitution pattern).
  • Look for randomly named .bat files written to disk by the DX Studio Player plugin process — the exploit stages a payload by writing a randomly named batch file via the plugin's file-write capability.
  • In IE, watch for a single per-host prompt allowing the DX Studio Player ActiveX control to access local files — subsequent exploitation on the same host will be silent.
  • ·Affected versions are 3.0.29.0 and earlier (including 3.0.22.0 and 3.0.12.0); version 3.0.29.1 and later contain the fix. The vulnerability is present in both the Firefox DLL plugin and the IE ActiveX control.
  • ·The shell.execute() API is intentionally unrestricted in the standalone DX Studio Player — exploitation via this vector is only a vulnerability in the browser plugin context, not the standalone player.
  • ·Metasploit payload space is limited to 2048 bytes, requiring a cmdstager (multi-stage command execution) approach with a line max of 2047 bytes per command.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.