cbcvebase.
CVE-2011-0340
published 2011-05-04

CVE-2011-0340: Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.

Affected

4 ranges
VendorProductVersion rangeFixed in
advantechadvantech_studio
indusoftthin_client
indusoftweb_studio<= 7.0
indusoftweb_studio

Detection & IOCsextracted from sources · hover to see the quote

otherCLSID: {3c9dff6f-5cb0-422e-9978-d6405d10718f}
filenameISSymbol.ocx
otherCrash EIP offset: 240 bytes into InternationalSeparator buffer
otherCrash ECX offset: 4208 bytes into InternationalSeparator buffer
processISSymbol!DllUnregisterServer+0xc9e2 (crash instruction: mov eax,dword ptr [ecx])
bytes
Stack adjustment prepend: \x81\xc4\x54\xf2\xff\xff (add esp, -3500)
  • Detect instantiation of the ISSymbol ActiveX control by its CLSID {3c9dff6f-5cb0-422e-9978-d6405d10718f} in HTML/script content delivered over HTTP.
  • Detect heap spray patterns targeting 0x0c0c0c0c in browser processes; large blocks of \x0c bytes in JavaScript unescape() calls are a strong indicator of this exploit.
  • Monitor for msvcr71.dll (Java JRE6) loaded into Internet Explorer processes; the exploit specifically uses this non-ASLR DLL for ROP chain construction to bypass ASLR on Vista/Win7.
  • Flag User-Agent strings from IE 6.0–9.0 on Windows XP/Vista/7 requesting pages that instantiate the ISSymbol CLSID, as these are the exact targets enumerated by the exploit module.
  • Look for the stack-adjustment shellcode prologue bytes \x81\xc4\x54\xf2\xff\xff prepended to payloads in memory or network captures.
  • ·ROP chain addresses for msvcrt.dll (0x77c15ed6, 0x77c1f519, 0x77c4fa1a) are specific to Windows XP SP3 msvcrt.dll; they will differ on other patch levels or OS versions.
  • ·ROP chain addresses for msvcr71.dll (0x7c376fff, 0x7c376ffe, 0x7c376ffc) are specific to the Java JRE6 version of msvcr71.dll and are used only on Vista/Win7 targets to bypass ASLR.
  • ·The exploit offset differs slightly for IE 9 on Windows 7 (0x5fe) versus all other targets (0x5F4); detection rules based on fixed offsets must account for this variation.
  • ·The module includes optional JavaScript obfuscation (OBFUSCATE option) which will alter the appearance of the exploit HTML, potentially evading signature-based detection of the JS payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.