CVE-2010-4701
published 2011-01-20CVE-2010-4701: Heap-based buffer overflow in the CDrawPoly::Serialize function in fxscover.exe in Microsoft Windows Fax Services Cover Page Editor 5.2 r2 in Windows XP…
PriorityP261high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
47.83%
98.7th percentile
Heap-based buffer overflow in the CDrawPoly::Serialize function in fxscover.exe in Microsoft Windows Fax Services Cover Page Editor 5.2 r2 in Windows XP Professional SP3, Server 2003 R2 Enterprise Edition SP2, and Windows 7 Professional allows remote attackers to execute arbitrary code via a long record in a Fax Cover Page (.cov) file. NOTE: some of these details are obtained from third party information.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor fxscover.exe for processing of .cov files containing anomalously long records, which triggers a heap-based buffer overflow in CDrawPoly::Serialize. ↗
- →Crash signature: User Mode Write AV at ntdll!RtlAbsoluteToSelfRelativeSD+0x5cd with ECX=41414141 (classic ASCII 'AAAA' overwrite pattern) indicates successful heap overflow control of instruction pointer/memory write target in fxscover.exe. ↗
- →Exploitability confirmed as EXPLOITABLE (not near-NULL write AV); classify any crash in fxscover.exe with a write AV at a non-NULL, non-stack address as high-severity. ↗
- →The exploit triggers a C++ EH exception (code e06d7363) followed immediately by an access violation (code c0000005) in fxscover.exe; detection of this exception sequence in process crash telemetry is a strong indicator of exploitation attempt. ↗
- ·Affected platforms are limited to Windows XP Professional SP3, Server 2003 R2 Enterprise Edition SP2, and Windows 7 Professional; detection rules should be scoped accordingly. ↗
- ·Some vulnerability details are derived from third-party sources and may not be fully authoritative; validate crash hashes and offsets against the specific fxscover.exe build in your environment. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://retrogod.altervista.org/9sg_cov_bof.htmlhttp://secunia.com/advisories/42747http://www.exploit-db.com/exploits/15839http://www.securitytracker.com/id?1024925http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12689http://retrogod.altervista.org/9sg_cov_bof.htmlhttp://secunia.com/advisories/42747http://www.exploit-db.com/exploits/15839http://www.securitytracker.com/id?1024925http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12689
2011-01-20
Published