cbcvebase.
CVE-2011-3142
published 2011-08-16

CVE-2011-3142: Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in WellinTech KingView 6.52 and 6.53 allows remote attackers to execute arbitrary code via a…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
38.80%
98.4th percentile
Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in WellinTech KingView 6.52 and 6.53 allows remote attackers to execute arbitrary code via a long second argument to the ValidateUser method.

Affected

2 ranges
VendorProductVersion rangeFixed in
wellintechkingview
wellintechkingview

Detection & IOCsextracted from sources · hover to see the quote

filenameKVWebSvr.dll
bytes
\xEB\x06\x90\x90
bytes
\x4E\x20\xD1\x72
bytes
\x54\x5f\xda\xdf\xd9\x77\xf4\x5e\x56\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4c\x4b\x5a\x4c\x50\x55\x4c\x4b\x5a\x4c\x43\x58\x51\x30\x51\x30\x51\x30\x56\x4f\x52\x48\x52\x43\x45\x31\x52\x4c\x43\x53\x4c\x4d\x51\x55\x5a\x58\x56\x30\x58\x38\x49\x57\x4d\x43\x49\x52\x54\x37\x4b\x4f\x58\x50\x41\x41
  • The vulnerable method is ValidateUser on the KVWebSvr.dll ActiveX control; monitor for ActiveX instantiation of this control with an abnormally long second argument to ValidateUser, indicative of a stack-based buffer overflow attempt.
  • The exploit uses a classic SEH (Structured Exception Handler) overwrite technique; the SEH overwrite value \x4E\x20\xD1\x72 can be used as a memory signature to detect exploitation attempts in network traffic or memory dumps.
  • The exploit prepends a short jump NOP sled (\xEB\x06\x90\x90) before the SEH overwrite; presence of this byte sequence adjacent to a large junk buffer in ActiveX-related traffic is a strong exploit indicator.
  • The exploit targets Windows XP SP3; detection of KVWebSvr.dll ActiveX control being loaded in a browser process on legacy Windows systems should be treated as high-risk.
  • ·The vulnerability affects both KingView 6.52 and 6.53; ensure detection coverage applies to both versions, not just 6.53 which is the version used in the public exploit PoC.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.