cbcvebase.
CVE-2011-2882
published 2011-07-21

CVE-2011-2882: Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.37%
98.9th percentile
Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 allows remote attackers to execute arbitrary code via crafted HTTP header data.

Affected

3 ranges
VendorProductVersion rangeFixed in
citrixaccess_gateway
citrixaccess_gateway
citrixaccess_gateway

Detection & IOCsextracted from sources · hover to see the quote

filenamensepa.ocx
pathdata/exploits/CVE-2011-2882/nsepa.ocx
url/epaq
otherNSEPA.NsepaCtrl.1
uansepa
cookieeepa_0_
  • Detect exploit delivery via HTTP response serving nsepa.ocx with Content-Type application/binary from a non-Citrix host, or requests to /epaq URI path with User-Agent 'nsepa'
  • Monitor for heap spray patterns targeting address 0x0c0c0c0c (IE6/XP) or 0x0c0c0b0b (IE7/XP/Vista) in browser memory, indicative of exploitation of this ActiveX overflow
  • Exploitation requires user interaction — victim must click a button in a dialog to begin a scan; social engineering lure combined with NSEPA.NsepaCtrl.1 ActiveX instantiation on a web page is a strong indicator
  • The exploit uses 'migrate -f' as InitialAutoRunScript, so post-exploitation process migration should be expected immediately after code execution; monitor for unusual process spawning from browser processes
  • Crafted HTTP header data triggers the overflow in nsepa.ocx; inspect HTTP headers in requests/responses involving the NSEPA ActiveX control for anomalous length or content
  • ·Exploitation requires user interaction — the victim must actively click a button in a dialog; drive-by silent exploitation without user action is not possible with this vulnerability
  • ·Metasploit module payload space is limited to 500 bytes; payloads larger than this will not function correctly in exploit attempts
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.