CVE-2011-3142
published 2011-08-16CVE-2011-3142: Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in WellinTech KingView 6.52 and 6.53 allows remote attackers to execute arbitrary code via a…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
38.80%
98.4th percentile
Stack-based buffer overflow in an ActiveX control in KVWebSvr.dll in WellinTech KingView 6.52 and 6.53 allows remote attackers to execute arbitrary code via a long second argument to the ValidateUser method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingview | — | — |
| wellintech | kingview | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\x06\x90\x90
bytes↗
\x4E\x20\xD1\x72
bytes↗
\x54\x5f\xda\xdf\xd9\x77\xf4\x5e\x56\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4c\x4b\x5a\x4c\x50\x55\x4c\x4b\x5a\x4c\x43\x58\x51\x30\x51\x30\x51\x30\x56\x4f\x52\x48\x52\x43\x45\x31\x52\x4c\x43\x53\x4c\x4d\x51\x55\x5a\x58\x56\x30\x58\x38\x49\x57\x4d\x43\x49\x52\x54\x37\x4b\x4f\x58\x50\x41\x41
- →The vulnerable method is ValidateUser on the KVWebSvr.dll ActiveX control; monitor for ActiveX instantiation of this control with an abnormally long second argument to ValidateUser, indicative of a stack-based buffer overflow attempt. ↗
- →The exploit uses a classic SEH (Structured Exception Handler) overwrite technique; the SEH overwrite value \x4E\x20\xD1\x72 can be used as a memory signature to detect exploitation attempts in network traffic or memory dumps. ↗
- →The exploit prepends a short jump NOP sled (\xEB\x06\x90\x90) before the SEH overwrite; presence of this byte sequence adjacent to a large junk buffer in ActiveX-related traffic is a strong exploit indicator. ↗
- →The exploit targets Windows XP SP3; detection of KVWebSvr.dll ActiveX control being loaded in a browser process on legacy Windows systems should be treated as high-risk. ↗
- ·The vulnerability affects both KingView 6.52 and 6.53; ensure detection coverage applies to both versions, not just 6.53 which is the version used in the public exploit PoC. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.cnvd.org.cn/vulnerability/CNVD-2011-04541http://www.exploit-db.com/exploits/16936http://www.kingview.com/news/detail.aspx?contentid=537http://www.osvdb.org/72889http://www.scadahacker.com/exploits-wellintech-kvwebsvr.htmlhttp://www.securityfocus.com/bid/46757http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-066-01.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-11-074-01.pdfhttp://www.cnvd.org.cn/vulnerability/CNVD-2011-04541http://www.exploit-db.com/exploits/16936http://www.kingview.com/news/detail.aspx?contentid=537http://www.osvdb.org/72889http://www.scadahacker.com/exploits-wellintech-kvwebsvr.htmlhttp://www.securityfocus.com/bid/46757http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-066-01.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-11-074-01.pdf
2011-08-16
Published