CVE-2010-3189
published 2010-08-31CVE-2010-3189: The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.22%
98.4th percentile
The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | internet_security | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by its CLSID (15DBC3F9-9F0A-472E-8061-043D9CEC52F0) in HTML/script content, which is the attack vector for this exploit. ↗
- →Monitor for heap-spray patterns in JavaScript: large unescape() loops filling ~0x40000-byte blocks up to 500 allocations, characteristic of this exploit's heap spray setup. ↗
- →Flag HTTP responses of Content-Type text/html that contain both the CLSID 15DBC3F9-9F0A-472E-8061-043D9CEC52F0 and unescape() heap-spray JavaScript as a strong indicator of exploitation attempts. ↗
- ·The RET address 0x00C750A1 is specific to Windows XP SP0-SP2 / Windows Vista with IE 6.0 SP0-SP2 / IE 7; the exploit target list only covers this single configuration, so detections relying on this exact return address will not generalise to other OS/browser combinations. ↗
- ·The Metasploit module randomises all JavaScript variable names on each request, so signature-based detection on variable names will be ineffective; focus on structural patterns (CLSID + unescape heap spray) instead. ↗
- ·The payload bad-character constraint excludes null bytes (\x00) only; shellcode detection rules must account for this minimal encoding requirement. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (Metasploit)
exploitdb·2010-10-01·CVSS 9.3
CVE-2010-3189 [CRITICAL] Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (Metasploit)
---
##
# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# trendmicro_extsetowner.rb
#
# Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7
Metasploit
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution
metasploit
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution
This module exploits a remote code execution vulnerability in Trend Micro Internet Security Pro 2010 ActiveX. When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://esupport.trendmicro.com/pages/Hot-Fix-UfPBCtrldll-is-vulnerable-to-remote-attackers.aspxhttp://secunia.com/advisories/41140http://www.securityfocus.com/archive/1/513327/100/0/threadedhttp://www.securitytracker.com/id?1024364http://www.vupen.com/english/advisories/2010/2185http://www.zerodayinitiative.com/advisories/ZDI-10-165https://exchange.xforce.ibmcloud.com/vulnerabilities/61397https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7633http://esupport.trendmicro.com/pages/Hot-Fix-UfPBCtrldll-is-vulnerable-to-remote-attackers.aspxhttp://secunia.com/advisories/41140http://www.securityfocus.com/archive/1/513327/100/0/threadedhttp://www.securitytracker.com/id?1024364http://www.vupen.com/english/advisories/2010/2185http://www.zerodayinitiative.com/advisories/ZDI-10-165https://exchange.xforce.ibmcloud.com/vulnerabilities/61397https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7633
2010-08-31
Published