cbcvebase.
CVE-2010-4701
published 2011-01-20

CVE-2010-4701: Heap-based buffer overflow in the CDrawPoly::Serialize function in fxscover.exe in Microsoft Windows Fax Services Cover Page Editor 5.2 r2 in Windows XP…

PriorityP261high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
47.83%
98.7th percentile
Heap-based buffer overflow in the CDrawPoly::Serialize function in fxscover.exe in Microsoft Windows Fax Services Cover Page Editor 5.2 r2 in Windows XP Professional SP3, Server 2003 R2 Enterprise Edition SP2, and Windows 7 Professional allows remote attackers to execute arbitrary code via a long record in a Fax Cover Page (.cov) file. NOTE: some of these details are obtained from third party information.

Detection & IOCsextracted from sources · hover to see the quote

filenamefxscover.exe
filename.cov
  • Monitor fxscover.exe for processing of .cov files containing anomalously long records, which triggers a heap-based buffer overflow in CDrawPoly::Serialize.
  • Crash signature: User Mode Write AV at ntdll!RtlAbsoluteToSelfRelativeSD+0x5cd with ECX=41414141 (classic ASCII 'AAAA' overwrite pattern) indicates successful heap overflow control of instruction pointer/memory write target in fxscover.exe.
  • Exploitability confirmed as EXPLOITABLE (not near-NULL write AV); classify any crash in fxscover.exe with a write AV at a non-NULL, non-stack address as high-severity.
  • The exploit triggers a C++ EH exception (code e06d7363) followed immediately by an access violation (code c0000005) in fxscover.exe; detection of this exception sequence in process crash telemetry is a strong indicator of exploitation attempt.
  • ·Affected platforms are limited to Windows XP Professional SP3, Server 2003 R2 Enterprise Edition SP2, and Windows 7 Professional; detection rules should be scoped accordingly.
  • ·Some vulnerability details are derived from third-party sources and may not be fully authoritative; validate crash hashes and offsets against the specific fxscover.exe build in your environment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.