CVE-2011-3494
published 2011-09-16CVE-2011-3494: WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
55.78%
98.9th percentile
WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long StyleTemplate element in a QUO, SUM or POR file, which triggers a stack-based buffer overflow, or (2) a long Font->FaceName field (aka FaceName element), which triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| interactivedata | esignal | <= 10.6.2425 | — |
| interactivedata | esignal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation or opening of files with extensions QUO, SUM, POR, ETS, ETQ, ESK containing anomalously long StyleTemplate elements or Font->FaceName fields by WinSig.exe ↗
- →Heap overflow crash in WinSig.exe can be identified by EDI/EDX registers containing 0x61616161 (repeated 'a' pattern) at MFC80 offsets 0x23a31 and 0x5c445 ↗
- →Stack overflow crash in WinSig.exe identifiable by EIP=0x61616161 (overwritten return address) when parsing QUO/SUM/POR files ↗
- →Metasploit exploit uses an egghunter with tag 'eggz'; scan process memory or network payloads for this egg tag as an exploitation indicator ↗
- →Exploit uses 'migrate -f' as InitialAutoRunScript, indicating post-exploitation process migration; monitor for WinSig.exe spawning or injecting into other processes ↗
- →Exploitation targets the JMP ESP gadget at 0x7c206fef in MFC71.dll version 10.6.2425.1208; presence of this ROP/JMP gadget address in shellcode or crash dumps is a strong indicator ↗
- ·Successful exploitation may take several seconds due to egghunter use; detection based on timing alone is unreliable ↗
- ·DEP bypass is unlikely due to limited payload space; DEP-based mitigations are effective but exploitation without DEP remains feasible ↗
- ·No fix was available at time of disclosure; patching is not an option for the disclosed version ↗
- ·The JMP ESP RET address (0x7c206fef in MFC71.dll) is specific to eSignal version 10.6.2425.1208 on Win XP SP3/Vista/Win7; different environments may require different offsets ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)
exploitdb·2011-09-20
CVE-2011-3494 eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)
eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)
---
##
# $Id: esignal_styletemplate_bof.rb 13765 2011-09-20 17:39:53Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'eSignal and eSignal Pro %q{
The software is unable to handle the "" files (even
those original included in the program) like those with the registered
extensions QUO, SUM and POR. Successful exploitation of this vulnerability
may take up to several seconds due to the use of egghunter. Also, DEP
bypass is unlikely due to the lim
Exploit-DB
eSignal and eSignal Pro 10.6.2425.1208 - Multiple Vulnerabilities
exploitdb·2011-09-14
CVE-2011-3494 eSignal and eSignal Pro 10.6.2425.1208 - Multiple Vulnerabilities
eSignal and eSignal Pro 10.6.2425.1208 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: eSignal and eSignal Pro
http://www.esignal.com/esignal/default.aspx
Versions: " files (even
those original included in the program) like those with the registered
extensions QUO, SUM and POR:
eax=00000001 ebx=00000000 ecx=61616161 edx=02830000 esi=0012f020 edi=03ed97f0
eip=61616161 esp=0012efb8 ebp=0012f088 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
61616161 ?? ???
B] heap overflow
Heap overflow during the handling of the Font->FaceName field of the
various files that use it like ETS, ETQ, ESK and so on:
eax=04255aa8 ebx=0012f004 ecx=04255ab4 edx=61616160 esi=0012f0
Metasploit
eSignal and eSignal Pro File Parsing Buffer Overflow in QUO
metasploit
eSignal and eSignal Pro File Parsing Buffer Overflow in QUO
eSignal and eSignal Pro File Parsing Buffer Overflow in QUO
The software is unable to handle the "" files (even those original included in the program) like those with the registered extensions QUO, SUM and POR. Successful exploitation of this vulnerability may take up to several seconds due to the use of egghunter. Also, DEP bypass is unlikely due to the limited space for payload. This vulnerability affects versions 10.6.2425.1208 and earlier.
No writeups or analysis indexed.
2011-09-16
Published