cbcvebase.
CVE-2011-3491
published 2011-09-16

CVE-2011-3491: Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.03%
96.7th percentile
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative Content-Length field.

Affected

3 ranges
VendorProductVersion rangeFixed in
progeamovicon_powerhmi<= 11.2.1085
progeamovicon_powerhmi
progeamovicon_powerhmi

Detection & IOCsextracted from sources · hover to see the quote

port808/TCP
port12233/TCP
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-3.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip
commandnc SERVER 808 < movicon_1.dat
commandudpsz -T -b 0x61 SERVER 808 10000
commandnc SERVER 808 < movicon_3.dat
  • Monitor for HTTP requests to port 808/TCP containing a negative Content-Length header value, which triggers the heap-based buffer overflow via memcpy(heap_buffer, input, content_length_size).
  • Monitor for oversized HTTP requests (>8192 bytes) to port 808/TCP, which overflow the fixed-size HTTP request buffer.
  • Monitor for EIDP protocol packets with an abnormally large size field tunnelled via the web service on port 808/TCP; these can write a zero byte to arbitrary memory above 0x7fffffff.
  • Public exploit PoC files (movicon_1.dat, movicon_3.dat) and tooling (udpsz) are known to target these vulnerabilities; presence of these filenames on a host or in network traffic is suspicious.
  • ·The EIDP memory-corruption bug (CVE-2011-3499) can only be triggered via the port 808/TCP web service tunnel, NOT via the native EIDP port 12233/TCP directly.
  • ·The EIDP zero-byte write is constrained to memory addresses above 0x7fffffff, which may limit exploitability to 64-bit environments.
  • ·Port 808/TCP is only exposed when the software is actively running a project; detection rules should account for this conditional listener.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.