CVE-2010-3973
published 2010-12-23CVE-2010-3973: The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows…
PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.73%
99.3th percentile
The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via a crafted argument to the AddContextRef method, possibly an untrusted pointer dereference, aka "Microsoft WMITools ActiveX Control Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | wmi_administrative_tools | <= 1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable WBEMSingleView.ocx ActiveX control (CLSID lookup) in browser context, particularly calls to AddContextRef or ReleaseContext methods with attacker-controlled lCtxHandle pointer values. ↗
- →Look for heap spray patterns in browser memory combined with loading of mscorie.dll (version 2.0.50727.3053) from a web-browsing process — this DLL is used to bypass DEP and ASLR in the exploit. ↗
- →The Metasploit module targets MSIE 6.0, 7.0, and 8.0 User-Agent strings; alert on HTTP responses serving .dll files (Content-Type: application/x-msdownload) to these User-Agents alongside pages referencing WBEMSingleView.ocx. ↗
- →The exploit module uses 'migrate -f' as InitialAutoRunScript after payload execution — monitor for unexpected process migration activity (e.g., iexplore.exe spawning or injecting into other processes) following ActiveX control load. ↗
- →ROP chain uses mscorie.dll RVA 0x237e ('call [ecx+4] / xor eax, eax / pop ebp / ret 8') as a gadget; memory forensics or crash dumps showing RIP/EIP at mscorie.dll+0x237e are indicative of exploitation. ↗
- ·The exploit module does not opt-in to ASLR and relies on mscorie.dll v2.0.50727.3053 at a fixed base address (0x63f00000); systems with a different .NET 2.0 patch level or without .NET 2.0 installed will not be exploitable via this specific ROP chain. ↗
- ·The vulnerable component (WBEMSingleView.ocx / WMI Administrative Tools) is a standalone download and install, not present by default on all Windows XP systems — exposure is limited to hosts where it has been explicitly installed. ↗
- ·Payload space is constrained to 512 bytes with null bytes disallowed; staged or large payloads may not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ffxw-f5f8-xhhf: The WBEMSingleView
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2010-4588 [CRITICAL] CWE-94 GHSA-ffxw-f5f8-xhhf: The WBEMSingleView
The WBEMSingleView.ocx ActiveX control 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier allows remote attackers to execute arbitrary code via a crafted argument to the ReleaseContext method, a different vector than CVE-2010-3973, possibly an untrusted pointer dereference.
GHSA
GHSA-2r2c-prqv-cxp3: The WMITools ActiveX control in WBEMSingleView
ghsa_unreviewed·2022-05-14
CVE-2010-3973 [HIGH] CWE-94 GHSA-2r2c-prqv-cxp3: The WMITools ActiveX control in WBEMSingleView
The WMITools ActiveX control in WBEMSingleView.ocx 1.50.1131.0 in Microsoft WMI Administrative Tools 1.1 and earlier in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via a crafted argument to the AddContextRef method, possibly an untrusted pointer dereference, aka "Microsoft WMITools ActiveX Control Vulnerability."
No detection rules found.
Exploit-DB
Microsoft WMI Administration Tools - ActiveX Buffer Overflow (Metasploit)
exploitdb·2011-01-14
CVE-2010-3973 Microsoft WMI Administration Tools - ActiveX Buffer Overflow (Metasploit)
Microsoft WMI Administration Tools - ActiveX Buffer Overflow (Metasploit)
---
##
# $Id: wmi_admintools.rb 11579 2011-01-14 16:25:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:rank => NormalRanking,
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft WMI Administration Tools ActiveX Buffer Overflow',
'Description' => %q{
This module exploits a memory trust issue in the Microsoft WMI
Administration tools ActiveX control. When processing a specially crafted
HTML
Metasploit
Microsoft WMI Administration Tools ActiveX Buffer Overflow
metasploit
Microsoft WMI Administration Tools ActiveX Buffer Overflow
Microsoft WMI Administration Tools ActiveX Buffer Overflow
This module exploits a memory trust issue in the Microsoft WMI Administration tools ActiveX control. When processing a specially crafted HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods as a trusted pointer. It makes an indirect call via this pointer which leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. The WMI Administrative Tools are a standalone download & install (linked in the references).
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
Zscaler
Zscaler found Multiple Security Vulnerabilities | 04-12-2011
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 04-12-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://secunia.com/advisories/42693http://www.exploit-db.com/exploits/15809http://www.kb.cert.org/vuls/id/725596http://www.securityfocus.com/bid/45546http://www.vupen.com/english/advisories/2010/3301http://www.wooyun.org/bug.php?action=view&id=1006https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-027https://exchange.xforce.ibmcloud.com/vulnerabilities/64250https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12475http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspxhttp://secunia.com/advisories/42693http://www.exploit-db.com/exploits/15809http://www.kb.cert.org/vuls/id/725596http://www.securityfocus.com/bid/45546http://www.vupen.com/english/advisories/2010/3301http://www.wooyun.org/bug.php?action=view&id=1006https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-027https://exchange.xforce.ibmcloud.com/vulnerabilities/64250https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12475
2010-12-23
Published