cbcvebase.
CVE-2011-0027
published 2011-01-12

CVE-2011-0027: Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, does not properly validate memory allocation for…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
54.37%
98.9th percentile
Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, does not properly validate memory allocation for internal data structures, which allows remote attackers to execute arbitrary code, possibly via a large CacheSize property that triggers an integer wrap and a buffer overflow, aka "ADO Record Memory Vulnerability." NOTE: this might be a duplicate of CVE-2010-1117 or CVE-2010-1118.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftdata_access_components
microsoftwindows_data_access_components

Detection & IOCsextracted from sources · hover to see the quote

commandlocalxmlid2.CacheSize = 0x40000358
commandlocalxmlid5.CacheSize = 0x40000008
pathcalc.exe
path\system32\calc.exe
bytes
%u9090%u9090%u868B%u1108%u0000%u5056%u056A%uA068%u0421%u0516%u185E%u0008%uD0FF%u5058%u0590%u0BBB%u0000%uD0FF%uF88B%u0558%u3B47%u0000%u006A%uFF57%uCCD0
  • Exploit triggers integer wrap/heap overflow by setting ADO recordset CacheSize property to large values (e.g. 0x40000358, 0x40000008) via JavaScript on a malicious web page; monitor for script setting CacheSize on ADO recordset objects to values exceeding 0x3FFFFFFF.
  • Exploit performs ASLR evasion by scanning heap for msado15.dll vftable markers (0xAD68, 0xD738 offsets) to compute the DLL base address; look for JavaScript iterating over ADO Fields.Item(0).name with regex matching /uAD68/ or /uD738/.
  • Exploit uses heapLib.ie heap spray with block size 0x20000 for DEP evasion; presence of 'new heapLib.ie(0x20000)' in page scripts is a strong indicator of this exploit.
  • Exploit embeds shellcode that launches calc.exe (proof-of-concept payload) from \system32\calc.exe; in weaponized variants, this path would be replaced with a malicious executable.
  • Vulnerability is triggered when a user visits a specially crafted web page; affected components are MDAC 2.8 SP1/SP2 and WDAC 6.0 on Windows XP, Server 2003, Vista, Server 2008, and Windows 7.
  • ·The shellcode payload in the public PoC launches calc.exe as a benign demonstration; real-world weaponized exploits would substitute a different executable path in the same shellcode location.
  • ·The heap spray size (FinalHeapSpraySize = 900) and small hole size (SmallHoleSize = 0x240) are tunable parameters in the exploit; actual exploit variants may use different values.
  • ·NVD notes this CVE might be a duplicate of CVE-2010-1117 or CVE-2010-1118; detections should cross-reference those CVEs to avoid duplicate coverage.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.