cbcvebase.
CVE-2011-3494
published 2011-09-16

CVE-2011-3494: WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
55.78%
98.9th percentile
WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long StyleTemplate element in a QUO, SUM or POR file, which triggers a stack-based buffer overflow, or (2) a long Font->FaceName field (aka FaceName element), which triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.

Affected

2 ranges
VendorProductVersion rangeFixed in
interactivedataesignal<= 10.6.2425
interactivedataesignal

Detection & IOCsextracted from sources · hover to see the quote

filenameWinSig.exe
urlhttp://aluigi.org/poc/esignal_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17837.zip
otherRET 0x7c206fef (jmp esp MFC71.dll v10.6.2425.1208)
othereggtag: 'eggz'
  • Monitor for creation or opening of files with extensions QUO, SUM, POR, ETS, ETQ, ESK containing anomalously long StyleTemplate elements or Font->FaceName fields by WinSig.exe
  • Heap overflow crash in WinSig.exe can be identified by EDI/EDX registers containing 0x61616161 (repeated 'a' pattern) at MFC80 offsets 0x23a31 and 0x5c445
  • Stack overflow crash in WinSig.exe identifiable by EIP=0x61616161 (overwritten return address) when parsing QUO/SUM/POR files
  • Metasploit exploit uses an egghunter with tag 'eggz'; scan process memory or network payloads for this egg tag as an exploitation indicator
  • Exploit uses 'migrate -f' as InitialAutoRunScript, indicating post-exploitation process migration; monitor for WinSig.exe spawning or injecting into other processes
  • Exploitation targets the JMP ESP gadget at 0x7c206fef in MFC71.dll version 10.6.2425.1208; presence of this ROP/JMP gadget address in shellcode or crash dumps is a strong indicator
  • ·Successful exploitation may take several seconds due to egghunter use; detection based on timing alone is unreliable
  • ·DEP bypass is unlikely due to limited payload space; DEP-based mitigations are effective but exploitation without DEP remains feasible
  • ·No fix was available at time of disclosure; patching is not an option for the disclosed version
  • ·The JMP ESP RET address (0x7c206fef in MFC71.dll) is specific to eSignal version 10.6.2425.1208 on Win XP SP3/Vista/Win7; different environments may require different offsets
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.