CVE-2011-3400
published 2011-12-14CVE-2011-3400: Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via…
PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.72%
99.3th percentile
Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via a crafted object in a file, aka "OLE Property Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x0c\x0c\x0c\x0c (heap spray NOP sled)
- →The exploit is delivered via a crafted .vsd (Visio) file served with Content-Type application/vnd.visio through Internet Explorer with Visio Viewer installed; monitor for IE processes loading .vsd files from remote/web sources. ↗
- →The exploit targets CPropertyStorage::ReadMultiple in OLE32; look for OLE32 type confusion crashes or abnormal memory access originating from ole32.dll in WinXP SP3 processes. ↗
- →Post-exploitation auto-migration is configured by default ('migrate -f'); monitor for IEXPLORE.exe spawning unexpected child processes or injecting into other processes shortly after loading a .vsd file. ↗
- →The exploit targets IE 6 and IE 7 on Windows XP SP3 specifically; User-Agent strings matching 'NT 5.1' combined with 'MSIE 6' or 'MSIE 7' are used to gate delivery of the malicious payload. ↗
- →The exploit URL path ends with .vsd; network detection rules should flag HTTP responses serving application/vnd.visio content from untrusted or unexpected hosts to IE clients. ↗
- →Heap spray uses 0x0c0c0c0c as the NOP sled value; memory forensics or crash dumps showing large regions of 0x0c bytes are indicative of this exploit's heap spray technique. ↗
- ·The exploit only triggers against IE 6 or IE 7 on Windows XP SP3 with Visio Viewer 2010 installed; other browser/OS combinations are explicitly rejected by the module. ↗
- ·Payload space is constrained to 1000 bytes with null bytes disallowed; payloads exceeding this size or containing 0x00 will not function correctly. ↗
- ·An optional JavaScript obfuscation layer can be enabled via the OBFUSCATE option, which may affect static signature-based detection of the HTML delivery page. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - OLE Object File Handling Remote Code Execution (Metasploit)
exploitdb·2012-06-06
CVE-2011-3400 Microsoft Windows - OLE Object File Handling Remote Code Execution (Metasploit)
Microsoft Windows - OLE Object File Handling Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "Microsoft Windows OLE Object File Handling Remote Code Execution",
'Description' => %q{
This module exploits a type confusion vulnerability in the OLE32 component of
Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple
function.
A Visio document with a specially crafted Summary Information Stream embedded allows
to get remote code execution through Internet Explorer, on systems with Visio Viewer
installed.
}
Metasploit
MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
metasploit
MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
This module exploits a type confusion vulnerability in the OLE32 component of Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple function. A Visio document with a specially crafted Summary Information Stream embedded allows to get remote code execution through Internet Explorer, on systems with Visio Viewer installed.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 1
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 1
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-093https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14668http://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-093https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14668
2011-12-14
Published