CVE-2011-2595
published 2011-09-14CVE-2011-2595: Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 146 allow remote attackers to execute arbitrary code via a long id parameter in a (1)…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.28%
99.0th percentile
Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 146 allow remote attackers to execute arbitrary code via a long id parameter in a (1) String or (2) Int tag in a FotoSlate Project (aka PLP) file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acdsee | fotoslate | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious PLP files exploit a long `id` parameter inside a `String` or `Int` XML tag; look for PLP files with an `id` attribute value exceeding 1812 bytes. ↗
- →The exploit uses a SEH-based overflow with a pop/pop/ret gadget at 0x263a5b57 in ipwssl6.dll; monitor for FotoSlate loading ipwssl6.dll and execution redirecting to that address. ↗
- →The exploit requires a total buffer length of 5000 bytes with an overflow offset of 1812 bytes; PLP files with `id` parameters of this length targeting FotoSlate 4.0 Build 146 are suspicious. ↗
- →Bad characters for payload are null bytes and double-quotes; shellcode in malicious PLP files will not contain \x00 or \x22. ↗
- →After SEH overwrite, approximately 9155 bytes of payload space are available; large shellcode buffers following the SEH record in a PLP file are indicative of exploitation. ↗
- ·The exploit targets only ACDSee FotoSlate 4.0 Build 146; the ROP gadget address (0x263a5b57 in ipwssl6.dll) and offset (1812) are specific to this build and will not work against other versions. ↗
- ·The Metasploit module sets EXITFUNC to 'process' and disables the payload handler by default; deployed payloads will not call back to a handler unless reconfigured. ↗
- ·The exploit has been tested on Windows XP SP3, Windows Vista, and Windows 7 only; reliability on other platforms is unknown. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)
exploitdb·2011-10-10
CVE-2011-2595 ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)
ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)
---
##
# $Id: acdsee_fotoslate_string.rb 13853 2011-10-10 16:47:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ACDSee FotoSlate PLP File id Parameter Overflow',
'Description' => %q{
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
a specially crafted id parameter in a String element. When viewing a malicious
PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
buffer and execute arbitrary code. This exploit has
Metasploit
ACDSee FotoSlate PLP File id Parameter Overflow
metasploit
ACDSee FotoSlate PLP File id Parameter Overflow
ACDSee FotoSlate PLP File id Parameter Overflow
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7.
No writeups or analysis indexed.
http://osvdb.org/75425http://secunia.com/advisories/44722http://www.securityfocus.com/bid/49558https://exchange.xforce.ibmcloud.com/vulnerabilities/69723http://osvdb.org/75425http://secunia.com/advisories/44722http://www.securityfocus.com/bid/49558https://exchange.xforce.ibmcloud.com/vulnerabilities/69723
2011-09-14
Published