CVE-2011-2089
published 2011-05-13CVE-2011-2089: Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.dll 8.0.138.0 in the WebHMI subsystem in ICONICS…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.46%
98.4th percentile
Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.dll 8.0.138.0 in the WebHMI subsystem in ICONICS BizViz 9.x before 9.22 and GENESIS32 9.x before 9.22 allows remote attackers to execute arbitrary code via a long string in the argument. NOTE: some of these details are obtained from third party information.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | bizviz | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
| iconics | genesis32 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%ueaba%ud0be%udba1%ud9de%u2474%u5df4%uc933%u3bb1%u5531%u8314%ufced%u5503%u0810%u2c4b%u4549%ucdb4%u358a%u283c%u67bb%u385a%ub7ee%u6c28%u3c03%u857c%u3090%uaaa9%ufe11%u858f%ucfa2%u490f%u4e60%u90ec%ub0b5%u5acd%ub1c8%u860a%ue323%uccc3%u1396%u9067%u122a%u9ea7%u6c13%u61c2%uc6e7%ub1cd%u5d58%u2985%u39d2%u4b36%u5a37%u020a%ua83c%u95f8%ue194%ua401%uadd8%u083f%uacd5%uaf78%udb06%ud372%udbbb%ua940%u6e67%u0955%uc8e3%uabbd%u8e20%ua736%uc58d%ua411%u0a10%ud02a%uad99%u50fd%u89d9%u39d9%ub0b9%ue478%ucd6c%u409b%u6bd0%u63d7%u0d05%ue9ba%u9cd8%u57c0%u9eda%uf7ca%uafb3%u9841%u30c4%udc80%ud32b%u2901%u4dc4%u90c0%u6e89%ud63e%uecb7%ua7cb%uec43%ua2b9%uab08%udf52%u5901%u4c55%u4821%u1f36%u5cb9%ua7dc%u8024%u0931%uef87%u8926%u8eb3%ua2cb%u3950%u5940%u9687%u81fe%ua1e8%ue1b3%u549f%u9234%uf933%u37b6%u60e2%udd4f%u41fa
- →Detect ActiveX instantiation of ClassID {CEFF5F48-BD2E-4D10-BAE5-AF729975E223} (GenVersion.dll) in browser — especially when followed by a call to SetActiveXGUID with an abnormally long string argument. ↗
- →Alert on HTML pages that instantiate the ICONICS WebHMI ActiveX CLSID and invoke SetActiveXGUID with a payload exceeding ~510 bytes, consistent with the known ROP offset. ↗
- →Detect heap-spray patterns in JavaScript: large repeated unescape('%u9090') NOP sleds combined with the exploit shellcode unicode escape sequence characteristic of this PoC. ↗
- →Monitor for GenVersion.dll loaded in browser processes (iexplore.exe) on Windows XP SP3 with IE6/7/8 — the known tested exploitation platform. ↗
- →The Metasploit module uses a ROP pivot at 0x770167b0 (PUSH ESP; POP EBP; RETN 8) for XP SP3 targets; detect ROP chain execution pivoting through this address in memory forensics or dynamic analysis. ↗
- →For Vista targets, the Metasploit module uses a heap-spray target address of 0x0c0c0c0c; detect this value as a return address in stack analysis. ↗
- →The exploit payload calls VirtualProtect (kernel32 at 0x7c801ad4 on XP SP3) as part of its ROP chain to mark shellcode memory executable; this sequence can be detected via API monitoring. ↗
- ·The ROP gadget addresses and VirtualProtect address are hardcoded for Windows XP SP3 with specific module versions (kernel32, user32, shell32, rpcrt4, ole32); they will not be valid on other OS versions or patch levels. ↗
- ·The static writable address 0x0012f878 used for VirtualProtect's lpflOldProtect parameter is hardcoded and may cause ERROR_NOACCESS on systems where this address is not writable. ↗
- ·The vulnerability affects ICONICS BizViz 9.x before 9.22 and GENESIS32 9.x before 9.22 only; version 9.22 and later are patched. ↗
- ·Exploitation requires the victim to have the GenVersion.dll ActiveX control installed and to visit an attacker-controlled web page; it is a client-side, browser-based attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ICONICS WebHMI - ActiveX Buffer Overflow (Metasploit)
exploitdb·2011-05-10
CVE-2011-2089 ICONICS WebHMI - ActiveX Buffer Overflow (Metasploit)
ICONICS WebHMI - ActiveX Buffer Overflow (Metasploit)
---
##
# $Id: iconics_webhmi_setactivexguid.rb 12584 2011-05-11 20:45:54Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "ICONICS WebHMI ActiveX Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.
By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll
fails to do any proper bounds checking before this input is copied onto the stack,
which causes a buffer overflow, and results arbitra
Exploit-DB
ICONICS WebHMI - ActiveX Stack Overflow
exploitdb·2011-05-03
CVE-2011-2089 ICONICS WebHMI - ActiveX Stack Overflow
ICONICS WebHMI - ActiveX Stack Overflow
---
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
ICONICS WebHMI ActiveX Stack Overflow
Vendor Link: http://www.iconics.com/
PDF: http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf
+-----------+
|Description|
+-----------+
ICONICS Genesis32 is a suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications. A stack overflow was found in an ActiveX control required by the WebHMI interface. This condition can be used to gain command execution. The affected control is 'GenVersion.dll' and has the ClassID of {CEFF5F48-BD2
Metasploit
ICONICS WebHMI ActiveX Buffer Overflow
metasploit
ICONICS WebHMI ActiveX Buffer Overflow
ICONICS WebHMI ActiveX Buffer Overflow
This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control. By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll fails to do any proper bounds checking before this input is copied onto the stack, which causes a buffer overflow, and results arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://secunia.com/advisories/44417http://www.exploit-db.com/exploits/17240http://www.exploit-db.com/exploits/17269http://www.osvdb.org/72135http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdfhttp://www.securityfocus.com/bid/47704http://www.us-cert.gov/control_systems/pdf/ICSA-11-131-01.pdfhttp://www.vupen.com/english/advisories/2011/1174https://exchange.xforce.ibmcloud.com/vulnerabilities/67267http://secunia.com/advisories/44417http://www.exploit-db.com/exploits/17240http://www.exploit-db.com/exploits/17269http://www.osvdb.org/72135http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdfhttp://www.securityfocus.com/bid/47704http://www.us-cert.gov/control_systems/pdf/ICSA-11-131-01.pdfhttp://www.vupen.com/english/advisories/2011/1174https://exchange.xforce.ibmcloud.com/vulnerabilities/67267
2011-05-13
Published