CVE-2011-0340
published 2011-05-04CVE-2011-0340: Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | advantech_studio | — | — |
| indusoft | thin_client | — | — |
| indusoft | web_studio | <= 7.0 | — |
| indusoft | web_studio | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Stack adjustment prepend: \x81\xc4\x54\xf2\xff\xff (add esp, -3500)
- →Detect instantiation of the ISSymbol ActiveX control by its CLSID {3c9dff6f-5cb0-422e-9978-d6405d10718f} in HTML/script content delivered over HTTP. ↗
- →Detect heap spray patterns targeting 0x0c0c0c0c in browser processes; large blocks of \x0c bytes in JavaScript unescape() calls are a strong indicator of this exploit. ↗
- →Monitor for msvcr71.dll (Java JRE6) loaded into Internet Explorer processes; the exploit specifically uses this non-ASLR DLL for ROP chain construction to bypass ASLR on Vista/Win7. ↗
- →Flag User-Agent strings from IE 6.0–9.0 on Windows XP/Vista/7 requesting pages that instantiate the ISSymbol CLSID, as these are the exact targets enumerated by the exploit module. ↗
- →Look for the stack-adjustment shellcode prologue bytes \x81\xc4\x54\xf2\xff\xff prepended to payloads in memory or network captures. ↗
- ·ROP chain addresses for msvcrt.dll (0x77c15ed6, 0x77c1f519, 0x77c4fa1a) are specific to Windows XP SP3 msvcrt.dll; they will differ on other patch levels or OS versions. ↗
- ·ROP chain addresses for msvcr71.dll (0x7c376fff, 0x7c376ffe, 0x7c376ffc) are specific to the Java JRE6 version of msvcr71.dll and are used only on Vista/Win7 targets to bypass ASLR. ↗
- ·The exploit offset differs slightly for IE 9 on Windows 7 (0x5fe) versus all other targets (0x5F4); detection rules based on fixed offsets must account for this variation. ↗
- ·The module includes optional JavaScript obfuscation (OBFUSCATE option) which will alter the appearance of the exploit HTML, potentially evading signature-based detection of the JS payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
InduSoft ISSymbol ActiveX Control Buffer Overflow
cisa_ics·2013-10-28
InduSoft ISSymbol ActiveX Control Buffer Overflow
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
InduSoft ISSymbol ActiveX Control Buffer Overflow
Last RevisedOctober 28, 2013
Alert CodeICSA-12-249-03
## Overview
ICS-CERT received a report from Indusoft and the Zero Day Initiative (ZDI) concerning a heap-based buffer overflow vulnerability affecting the InduSoft ISSymbol ActiveX control. This vulnerability was reported to ZDI by security researcher Alexander Gavrun.
Successful exploitation of this vulnerability could allow remote execution of arbitrary code.
## Affected Products
The following products and versions are affected:
- InduSoft ISSymbol ActiveX Control (Build
CISA ICS
Advantech Studio ISSymbol ActiveX Buffer Overflow
cisa_ics·2011-05-11
Advantech Studio ISSymbol ActiveX Buffer Overflow
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech Studio ISSymbol ActiveX Buffer Overflow
Last RevisedSeptember 06, 2018
Alert CodeICSA-12-137-02
## Overview
This advisory is a follow-up to the original alert titled ICS-ALERT-11-131-01 - Advantech Studio ISSymbol ActiveX Buffer Overflow Vulnerabilities that was published May 11, 2011, on the ICS-CERT web page.
A remote attacker could exploit these vulnerabilities; publicly available exploit code is known to exist that targets these vulnerabilities.
Independent researcher Dmitriy Pletnev of Secunia has identified multiple buffer overflow vulnerabilities in the Advant
GHSA
GHSA-w53j-c547-g9gf: Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol
ghsa_unreviewed·2022-05-17
CVE-2011-0340 [HIGH] CWE-119 GHSA-w53j-c547-g9gf: Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol
Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.
No detection rules found.
Exploit-DB
InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit)
exploitdb·2012-12-20
CVE-2011-0340 InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit)
InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking,
:classid => "{3c9dff6f-5cb0-422e-9978-d6405d10718f}",
:method => "InternationalSeparator"
})
def initialize(info={})
super(update_info(info,
'Name' => "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow",
'Description' => %q{
This module exploi
Metasploit
InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow
metasploit
InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow
InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow
This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00 SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long string argument for the InternationalSeparator() method of the ISSymbol control. This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.
No writeups or analysis indexed.
http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03http://secunia.com/advisories/42928http://secunia.com/advisories/43116http://secunia.com/secunia_research/2011-36/http://secunia.com/secunia_research/2011-37/http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htmhttp://www.indusoft.com/hotfixes/hotfixes.phphttp://www.securityfocus.com/bid/47596http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdfhttp://www.vupen.com/english/advisories/2011/1115http://www.vupen.com/english/advisories/2011/1116http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03http://secunia.com/advisories/42928http://secunia.com/advisories/43116http://secunia.com/secunia_research/2011-36/http://secunia.com/secunia_research/2011-37/http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htmhttp://www.indusoft.com/hotfixes/hotfixes.phphttp://www.securityfocus.com/bid/47596http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdfhttp://www.vupen.com/english/advisories/2011/1115http://www.vupen.com/english/advisories/2011/1116
2011-05-04
Published