CVE-2011-3495
published 2011-09-16CVE-2011-3495: Multiple directory traversal vulnerabilities in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to read, modify, or delete…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.80%
95.3th percentile
Multiple directory traversal vulnerabilities in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to read, modify, or delete arbitrary files via the (1) RF, (2) wF, (3) UF, or (4) NF command.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| measuresoft | scadapro | <= 4.0.0 | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for tab-separated command strings sent to port 11234/UDP matching the RF, wF, UF, NF, or XF command patterns used by ScadaPro service.exe; note that 'wF' uses a lowercase first character specifically to bypass an internal check. ↗
- →Alert on XF command usage targeting msvcrt.dll 'system' function over port 11234/UDP, which enables arbitrary OS command execution. ↗
- →Detect directory traversal sequences (e.g., '../') within RF/wF/UF/NF command payloads on port 11234/UDP targeting service.exe. ↗
- →Inspect BF, OF, and EF backup command arguments for injected double-quote characters ('"') which enable command injection into mszip and other backup program invocations. ↗
- ·Port 11234/UDP is the attack surface; the vendor fix (v4.0.1) disables this port by default. Verify this port is blocked at the perimeter for all unpatched deployments. ↗
- ·The RF command's directory traversal check is bypassable by lowercasing the first character (i.e., 'wF' instead of 'WF'); detection rules must account for case variations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Measuresoft ScadaPro Vulnerabilities
cisa_ics·2011-09-13
Measuresoft ScadaPro Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Measuresoft ScadaPro Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-263-01
## Overview
This Advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-04 Measuresoft ScadaPro” that was published September 13, 2011, on the ICS-CERT website.
ICS-CERT is aware of a public report of three vulnerabilities with proof-of-concept (PoC) exploit code affecting Measuresoft ScadaPro. According to the report, the vulnerabilities include a stack buffer overflow, an insecure method call, and a path traversal, which are all remotely exploitable through Port 11234/UDP. This
GHSA
GHSA-89v3-w86j-wm2h: Multiple directory traversal vulnerabilities in service
ghsa_unreviewed·2022-05-17
CVE-2011-3495 [HIGH] CWE-22 GHSA-89v3-w86j-wm2h: Multiple directory traversal vulnerabilities in service
Multiple directory traversal vulnerabilities in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to read, modify, or delete arbitrary files via the (1) RF, (2) wF, (3) UF, or (4) NF command.
No detection rules found.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdfhttp://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf
2011-09-16
Published