cbcvebase.
CVE-2010-5193
published 2012-08-31

CVE-2010-5193: Stack-based buffer overflow in the TIFMergeMultiFiles function in the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) in Viscom Image Viewer CP Pro…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.97%
98.1th percentile
Stack-based buffer overflow in the TIFMergeMultiFiles function in the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) in Viscom Image Viewer CP Pro 8.0 and Gold 6.0 allows remote attackers to execute arbitrary code via a long strDelimit parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
viscomsoftimage_viewer_cp_gold_sdk
viscomsoftimage_viewer_cp_pro_sdk

Detection & IOCsextracted from sources · hover to see the quote

filenameImageViewer2.ocx
otherSCRIBBLE.ScribbleCtrl.1
commandTifMergeMultiFiles()
registrySCRIBBLE.ScribbleCtrl.1
  • Detect exploitation attempts by monitoring for instantiation of the SCRIBBLE.ScribbleCtrl.1 ActiveX control (ImageViewer2.ocx) combined with a long strDelimit parameter passed to TIFMergeMultiFiles/TifMergeMultiFiles.
  • The Metasploit module targets User-Agent strings matching Windows XP (NT 5.1), Vista (NT 6.0), and Windows 7 (NT 6.1) with MSIE 6.0, 7.0, or 8.0; network detection should alert on exploit page delivery to these UA patterns.
  • The DEP/ASLR bypass ROP chain for IE8/Vista/Win7 targets uses MSVCR71.dll ROP gadgets; presence of ROP gadget addresses from MSVCR71.dll (e.g., 0x7C37653D, 0x7C347F98) on the stack is a strong indicator of exploitation.
  • The exploit uses a heap spray with unescape NOP sled (%u9090%u9090) and encoded shellcode in JavaScript; IDS/IPS rules should look for the characteristic shellcode bytes in HTTP responses alongside ActiveX object instantiation of ImageViewer2.ocx.
  • The exploit pivot address 0x12AE0FE4 is used as the return address overwrite; memory forensics or crash analysis showing EIP/saved return address set to this value indicates exploitation of this specific vulnerability.
  • Post-exploitation, the Metasploit module auto-migrates the injected process; endpoint detection should monitor for unexpected child processes spawned from the browser (iexplore.exe) following ImageViewer2.ocx load.
  • ·Exploitation requires the victim to explicitly trust the publisher 'Viscom Software' via an ActiveX trust prompt; exploitation will fail if the user denies the trust dialog.
  • ·The DEP and ASLR bypass path (targets[2]) requires Java support to be present on the victim machine; without Java, the bypass will not function on Vista/Win7/XP IE8.
  • ·The module is excluded from Metasploit autopwn automation due to the manual trust requirement.
  • ·Payload bad characters are restricted to null bytes only (\x00); other characters are safe to use in shellcode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.