cbcvebase.
CVE-2011-2140
published 2011-08-10

CVE-2011-2140: Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.26%
99.6th percentile
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.

Affected

102 ranges· showing 25
VendorProductVersion rangeFixed in
adobeadobe_air<= 2.7
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeadobe_air
adobeflash_player<= 10.3.181.36
adobeflash_player<= 10.3.185.25
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player
adobeflash_player

Detection & IOCsextracted from sources · hover to see the quote

filenameFlash10u.ocx
urlhttp://www.jeroenwijering.com/embed/mediaplayer.swf
  • Exploit delivers a crafted MP4 file via HTTP with Content-Type 'video/mp4'; the MP4 triggers a stack buffer overflow in Flash10u.ocx via a malformed SequenceParameterSetNALUnit where pic_order_cnt_type==1 causes unbounded copy of offset_for_ref_frame data onto the stack.
  • Exploit HTML page embeds a SWF media player (e.g. Longtail/JW Player SWF) pointing to an attacker-controlled MP4 URI; monitor for browser requests to .mp4 resources served from unusual hosts immediately after loading a SWF player embed.
  • Heap spray using 0x0c0c0c0c as the nop-sled/shellcode landing address is characteristic of this exploit; EIP and ECX both point to 0x0c0c0c0c at crash time.
  • Metasploit module uses SEH-based exit and auto-migrates the payload process; look for post-exploitation process migration activity (migrate -f) following Flash Player crashes.
  • The exploit targets IE 6 on Windows XP SP3 and IE 7 on Windows XP SP3/Vista; User-Agent strings matching NT 5.1 + MSIE 6 or MSIE 7 are specifically selected for attack delivery.
  • Vulnerability confirmed exploited in the wild; treat any Flash Player crash in Flash10u.ocx involving MP4 parsing as high-priority incident.
  • ·The Metasploit module requires an externally supplied SWF media player (e.g. Longtail SWF Player) to trigger the bug; the SWF is not bundled with the module, so the SWF_PLAYER_URI option must be configured by the attacker.
  • ·Stack adjustment of -3500 bytes is used by the payload; this is an unusual stack pivot value that may aid in behavioral detection.
  • ·JavaScript obfuscation is optional (OBFUSCATE flag); detections based solely on static JS signatures may miss obfuscated variants of the exploit HTML page.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.