CVE-2011-2217
published 2011-06-06CVE-2011-2217: Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.96%
98.5th percentile
Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tomsawyer | get_extension_factory | — | — |
| vmware | infrastructure | — | — |
| vmware | virtual_infrastructure_client | — | — |
| vmware | virtual_infrastructure_client | — | — |
| vmware | vmware_esxi | — | — |
| vmware | vmware_fusion | — | — |
| vmware | vmware_tools | — | — |
| vmware | vmware_workstation | — | — |
| vmware | vsphere | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the malicious ActiveX control by its CLSID {658ED6E7-0DA1-4ADD-B2FB-095F08091118} in HTML documents or registry entries. ↗
- →Flag presence of tsgetx71ex553.dll, tsgetx71ex552.dll, or tsgetxu71ex552.dll loaded within Internet Explorer processes as high-risk indicators of exploitation attempt. ↗
- →The exploit targets IE 6–8 on Windows XP SP3 and IE 8 on Windows 7 SP1; alert on suspicious ActiveX instantiation from these browser/OS combinations. ↗
- →The exploit uses msvcr71.dll ROP gadgets for DEP/ASLR bypass; detect ROP chains referencing msvcr71.dll addresses (e.g., 0x7c347f98, 0x7c37653d) in heap spray memory regions. ↗
- →Monitor for heap spray targeting address 0x342d1ea0 (ecx value at crash), which is the sprayed heap address used by the exploit. ↗
- →The exploit delivers a crafted HTML page with optional JavaScript obfuscation; inspect Content-Type text/html responses containing the CLSID for the Tom Sawyer ActiveX control. ↗
- →Post-exploitation, the module runs 'migrate -f' as an auto-run script; detect iexplore.exe spawning unexpected child processes as a sign of successful exploitation. ↗
- ·The Metasploit module was tested against tsgetx71ex553.dll version 5.5.3.238 (Embarcadero ER/Studio XE2), not the originally reported 5.5.2.237 (VMware Infrastructure Client); ROP gadget offsets may differ across versions. ↗
- ·ROP chain gadget addresses are hardcoded for msvcr71.dll as shipped with Embarcadero software; they will not be valid against other versions or patched copies of msvcr71.dll. ↗
- ·Payload space is limited to 1024 bytes with null bytes as bad characters; larger or null-containing payloads will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
vendor_vmware·2011-06-02·CVSS 7.8
CVE-2009-3080 [HIGH] VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
VMSA-2011-0009: VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
a. VMware vmkernel third party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product ============= Product Version ======= Running on ======= Replace with/ Apply Patch ================= VMware Product ============= vCenter Product Version ======= any Running on ======= Windows Replace with/ Apply Patch ===
GHSA
GHSA-pmh8-qf2w-qvjq: Certain ActiveX controls in (1) tsgetxu71ex552
ghsa_unreviewed·2022-05-17
CVE-2011-2217 [HIGH] CWE-119 GHSA-pmh8-qf2w-qvjq: Certain ActiveX controls in (1) tsgetxu71ex552
Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.
No detection rules found.
Exploit-DB
Tom Sawyer Software GET Extension Factory - Remote Code Execution (Metasploit)
exploitdb·2012-06-10
CVE-2011-2217 Tom Sawyer Software GET Extension Factory - Remote Code Execution (Metasploit)
Tom Sawyer Software GET Extension Factory - Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:rank => NormalRanking,
:classid => "{658ED6E7-0DA1-4ADD-B2FB-095F08091118}"
})
def initialize(info={})
super(update_info(info,
'Name' => "Tom Sawyer Software GET Extension Factory Remote Code Execution",
'Description' => %q{
This module exploits a remote code execution vulnerability in the tsgetx71
Metasploit
Tom Sawyer Software GET Extension Factory Remote Code Execution
metasploit
Tom Sawyer Software GET Extension Factory Remote Code Execution
Tom Sawyer Software GET Extension Factory Remote Code Execution
This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911http://secunia.com/advisories/44826http://secunia.com/advisories/44844http://securitytracker.com/id?1025602http://www.securityfocus.com/bid/48099http://www.vmware.com/security/advisories/VMSA-2011-0009.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/67816http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911http://secunia.com/advisories/44826http://secunia.com/advisories/44844http://securitytracker.com/id?1025602http://www.securityfocus.com/bid/48099http://www.vmware.com/security/advisories/VMSA-2011-0009.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/67816
2011-06-06
Published