cbcvebase.
CVE-2011-3400
published 2011-12-14

CVE-2011-3400: Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.72%
99.3th percentile
Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via a crafted object in a file, aka "OLE Property Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2011-3400/CVE-2011-3400.vsd
bytes
\x0c\x0c\x0c\x0c (heap spray NOP sled)
  • The exploit is delivered via a crafted .vsd (Visio) file served with Content-Type application/vnd.visio through Internet Explorer with Visio Viewer installed; monitor for IE processes loading .vsd files from remote/web sources.
  • The exploit targets CPropertyStorage::ReadMultiple in OLE32; look for OLE32 type confusion crashes or abnormal memory access originating from ole32.dll in WinXP SP3 processes.
  • Post-exploitation auto-migration is configured by default ('migrate -f'); monitor for IEXPLORE.exe spawning unexpected child processes or injecting into other processes shortly after loading a .vsd file.
  • The exploit targets IE 6 and IE 7 on Windows XP SP3 specifically; User-Agent strings matching 'NT 5.1' combined with 'MSIE 6' or 'MSIE 7' are used to gate delivery of the malicious payload.
  • The exploit URL path ends with .vsd; network detection rules should flag HTTP responses serving application/vnd.visio content from untrusted or unexpected hosts to IE clients.
  • Heap spray uses 0x0c0c0c0c as the NOP sled value; memory forensics or crash dumps showing large regions of 0x0c bytes are indicative of this exploit's heap spray technique.
  • ·The exploit only triggers against IE 6 or IE 7 on Windows XP SP3 with Visio Viewer 2010 installed; other browser/OS combinations are explicitly rejected by the module.
  • ·Payload space is constrained to 1000 bytes with null bytes disallowed; payloads exceeding this size or containing 0x00 will not function correctly.
  • ·An optional JavaScript obfuscation layer can be enabled via the OBFUSCATE option, which may affect static signature-based detection of the HTML delivery page.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.