CVE-2011-2386
published 2011-06-08CVE-2011-2386: VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey before 2.1.9 allows user-assisted remote attackers to execute arbitrary code via a (1) vws…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.22%
98.6th percentile
VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey before 2.1.9 allows user-assisted remote attackers to execute arbitrary code via a (1) vws and (2) vwr file with an invalid Type property, which triggers an untrusted pointer dereference.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| visiwave | site_survey | <= 2.1 | — |
| visiwave | site_survey | — | — |
| visiwave | site_survey | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious .VWR files contain an invalid 'Type' property value (not one of: Properties, TitlePage, Details, Graph, Table, Text, Image). Inspect the Type field in VWR/VWS files for unexpected or binary content. ↗
- →The exploit uses ROP gadgets sourced from libcurl.dll and VisiWaveReport.exe (non-ASLR modules) to bypass DEP/ASLR. Monitor for VisiWaveReport.exe spawning unexpected child processes or calling VirtualProtect with RWX (0x40) permissions. ↗
- →The application registers .VWS and .VWR file associations at install time. Monitor double-click execution of .VWR/.VWS files from untrusted sources triggering VisiWaveReport.exe. ↗
- →The exploit payload offset to ROP gadgets is 3981 bytes from the start of the Type field value. Large Type field values (>3981 bytes) in VWR files are a strong anomaly indicator. ↗
- ·The exploit targets only Windows XP SP3 and Windows 7 SP0 with specific non-ASLR module addresses. ROP gadget addresses are hardcoded and will not work on patched or different OS versions. ↗
- ·The payload has bad character restrictions; null bytes, newlines (0x0a), and carriage returns (0x0d) cannot appear in the shellcode. ↗
- ·The vulnerability is fixed in VisiWave Site Survey version 2.1.9 and later. The patch XORs the return value to null when no Type match is found and validates it before use. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VisiWave - '.VWR' File Parsing Trusted Pointer (Metasploit)
exploitdb·2011-05-23
CVE-2011-2386 VisiWave - '.VWR' File Parsing Trusted Pointer (Metasploit)
VisiWave - '.VWR' File Parsing Trusted Pointer (Metasploit)
---
##
# $Id: visiwave_vwr_type.rb 12716 2011-05-25 13:57:12Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VisiWave VWR File Parsing Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in VisiWave's Site Survey Report application.
When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'
property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',
'Image'), but if a
Exploit-DB
PHP 'phar' Extension 1.1.1 - Heap Overflow
exploitdb·2011-04-22
CVE-2012-2386 PHP 'phar' Extension 1.1.1 - Heap Overflow
PHP 'phar' Extension 1.1.1 - Heap Overflow
---
from: http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html
version PHP: 5.3.6
version phar ext.: 1.1.1
site: http://php.net/
source code: http://windows.php.net/downloads/releases/php-5.3.6-src.zip
An integer overflow vulnerability leading to a heap overflow in the file ..\php-5.3.6\ext\phar\tar.c.
int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */
{
//.....
size = entry.uncompressed_filesize = entry.compressed_filesize =
phar_tar_number(hdr->size, sizeof(hdr->size)); //(*)
//.....
if (!last_was_longlink && hdr->typeflag == 'L') {
last_was_longlink = 1;
/* support the ././@LongL
Exploit-DB
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
exploitdb·2011-01-08
CVE-2007-2386 Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
Apple Mac OSX - mDNSResponder UPnP Location Overflow (Metasploit)
---
##
# $Id: upnp_location.rb 11515 2011-01-08 01:12:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mac OS X mDNSResponder UPnP Location Overflow',
'Description' => %q{
This module exploits a buffer overflow that occurs when processing
specially crafted requests set to mDNSResponder. All Mac OS X systems
between version 10.4 and 10.4.9 (without the 2007-005 patch) are
affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'ddz'
],
'Version' => '$Revision: 11515 $'
Metasploit
VisiWave VWR File Parsing Vulnerability
metasploit
VisiWave VWR File Parsing Vulnerability
VisiWave VWR File Parsing Vulnerability
This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will
No writeups or analysis indexed.
http://osvdb.org/72464http://secunia.com/advisories/44636http://www.exploit-db.com/exploits/17317http://www.securityfocus.com/bid/47948http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.htmlhttp://osvdb.org/72464http://secunia.com/advisories/44636http://www.exploit-db.com/exploits/17317http://www.securityfocus.com/bid/47948http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html
2011-06-08
Published