cbcvebase.
CVE-2011-2386
published 2011-06-08

CVE-2011-2386: VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey before 2.1.9 allows user-assisted remote attackers to execute arbitrary code via a (1) vws…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.22%
98.6th percentile
VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey before 2.1.9 allows user-assisted remote attackers to execute arbitrary code via a (1) vws and (2) vwr file with an invalid Type property, which triggers an untrusted pointer dereference.

Affected

3 ranges
VendorProductVersion rangeFixed in
visiwavesite_survey<= 2.1
visiwavesite_survey
visiwavesite_survey

Detection & IOCsextracted from sources · hover to see the quote

filenameVisiWaveReport.exe
filenamemsf.vwr
  • Malicious .VWR files contain an invalid 'Type' property value (not one of: Properties, TitlePage, Details, Graph, Table, Text, Image). Inspect the Type field in VWR/VWS files for unexpected or binary content.
  • The exploit uses ROP gadgets sourced from libcurl.dll and VisiWaveReport.exe (non-ASLR modules) to bypass DEP/ASLR. Monitor for VisiWaveReport.exe spawning unexpected child processes or calling VirtualProtect with RWX (0x40) permissions.
  • The application registers .VWS and .VWR file associations at install time. Monitor double-click execution of .VWR/.VWS files from untrusted sources triggering VisiWaveReport.exe.
  • The exploit payload offset to ROP gadgets is 3981 bytes from the start of the Type field value. Large Type field values (>3981 bytes) in VWR files are a strong anomaly indicator.
  • ·The exploit targets only Windows XP SP3 and Windows 7 SP0 with specific non-ASLR module addresses. ROP gadget addresses are hardcoded and will not work on patched or different OS versions.
  • ·The payload has bad character restrictions; null bytes, newlines (0x0a), and carriage returns (0x0d) cannot appear in the shellcode.
  • ·The vulnerability is fixed in VisiWave Site Survey version 2.1.9 and later. The patch XORs the return value to null when no Type match is found and validates it before use.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.