CVE-2011-3490
published 2011-09-16CVE-2011-3490: Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
36.43%
98.3th percentile
Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long command to port 11234, as demonstrated with the TF command.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| measuresoft | scadapro | <= 4.0.0 | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for TCP/UDP connections to port 11234 targeting service.exe in Measuresoft ScadaPro; any long command string sent to this port is indicative of exploitation attempts. ↗
- →Detect use of the 'XF' command over port 11234 to execute arbitrary DLL functions (e.g., system() from msvcrt.dll), which enables remote code execution via directory traversal. ↗
- →Detect directory traversal sequences (e.g., '../../../../../') in commands sent to port 11234, particularly in RF, wF, UF, NF, and XF command arguments. ↗
- →Alert on VBS script creation in C:\Windows\Temp followed by execution via msvcrt.dll system() call over port 11234, as used in the Metasploit module for this CVE. ↗
- →Detect the 'xf%' command prefix in network traffic on port 11234 combined with 'msvcrt.dll,system' as a reliable indicator of exploitation. ↗
- →Detect injection of the '"' character in BF, OF, and EF backup command arguments on port 11234, which enables command injection against backup utilities (mszip, tar, compress). ↗
- ·Port 11234/UDP is the attack vector; the vendor fix (v4.0.1) disables this port by default. Verify the port is disabled or firewalled in deployed environments. ↗
- ·The vulnerability affects ScadaPro Version 4.0.0.0 and earlier; version 4.0.1 contains the fix. Ensure patched version is deployed before relying solely on network controls. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Measuresoft ScadaPro Vulnerabilities
cisa_ics·2011-09-13
Measuresoft ScadaPro Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Measuresoft ScadaPro Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-263-01
## Overview
This Advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-04 Measuresoft ScadaPro” that was published September 13, 2011, on the ICS-CERT website.
ICS-CERT is aware of a public report of three vulnerabilities with proof-of-concept (PoC) exploit code affecting Measuresoft ScadaPro. According to the report, the vulnerabilities include a stack buffer overflow, an insecure method call, and a path traversal, which are all remotely exploitable through Port 11234/UDP. This
GHSA
GHSA-cx2j-vq99-8hwr: Multiple stack-based buffer overflows in service
ghsa_unreviewed·2022-05-17
CVE-2011-3490 [HIGH] CWE-119 GHSA-cx2j-vq99-8hwr: Multiple stack-based buffer overflows in service
Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long command to port 11234, as demonstrated with the TF command.
No detection rules found.
Exploit-DB
Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
exploitdb·2011-09-16
CVE-2011-3496 Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
---
##
# $Id: scadapro_cmdexe.rb 13737 2011-09-16 08:23:59Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Measuresoft ScadaPro %q{
This module allows remote attackers to execute arbitray commands on
the affected system by abusing via Directory Traversal attack when using the 'xf'
command (execute function). An attacker can execute system() from msvcrt.dll to
upload a backdoor and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemm
Exploit-DB
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
exploitdb·2011-09-14
CVE-2011-3497 Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Measuresoft ScadaPro
http://www.measuresoft.com/products/scada-products.aspx
Versions: 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0040A118 . 8BC7 MOV EAX,EDI
0040A11A . 2BD7 SUB EDX,EDI
0040A11C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX]
0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
0040A125 . 83C0 01 ADD EAX,1
0040A128 . 84C9 TEST CL,CL
0040A12A .^75 F4 JNZ SHORT service.0040A120
Obviously there are many Denial of Service bugs too.
Then there is full control over the files to read and write and the
possibility to use directory traversal attacks like in the "RF" and
"wF" (the first char is lowe
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.exploit-db.com/exploits/17848http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdfhttp://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.exploit-db.com/exploits/17848http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf
2011-09-16
Published