CVE-2011-3496
published 2011-09-16CVE-2011-3496: service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) BF, (2) OF, or…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.37%
96.2th percentile
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) BF, (2) OF, or (3) EF command.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| measuresoft | scadapro | <= 4.0.0 | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting ScadaPro service.exe via shell metacharacter injection in BF, OF, or EF commands on UDP port 11234 ↗
- →Monitor for 'xf%' command strings on port 11234/UDP, particularly those referencing msvcrt.dll and the 'system' function, indicating arbitrary DLL function execution via the XF command ↗
- →Detect directory traversal sequences (e.g., ..\..\..\) in commands sent to port 11234/UDP targeting ScadaPro RF, WF, UF, NF, or XF command handlers ↗
- →Alert on unexpected .vbs file creation in C:\Windows\Temp followed by execution, which is the Metasploit module's two-stage payload delivery pattern for this CVE ↗
- →Monitor for nc (netcat) connections to port 11234 sending raw .dat files as used in the public PoC exploit ↗
- →Detect use of udpsz scanner tool probing port 11234 with 'xx%' pattern payloads as part of ScadaPro reconnaissance ↗
- ·Port 11234/UDP is the attack vector; the vendor fix (v4.0.1) disables this port by default. Blocking or monitoring this port is the primary defensive control. ↗
- ·The Metasploit module uses 'migrate -f' as an InitialAutoRunScript, meaning post-exploitation process migration will occur immediately after shell; detections should account for rapid process migration. ↗
- ·The XF command allows execution of any exported function from any DLL via directory traversal; detection must not be limited to msvcrt.dll/system — other DLL/function combinations are possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Measuresoft ScadaPro Vulnerabilities
cisa_ics·2011-09-13
Measuresoft ScadaPro Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Measuresoft ScadaPro Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-263-01
## Overview
This Advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-04 Measuresoft ScadaPro” that was published September 13, 2011, on the ICS-CERT website.
ICS-CERT is aware of a public report of three vulnerabilities with proof-of-concept (PoC) exploit code affecting Measuresoft ScadaPro. According to the report, the vulnerabilities include a stack buffer overflow, an insecure method call, and a path traversal, which are all remotely exploitable through Port 11234/UDP. This
GHSA
GHSA-3mrg-xv6v-4r9j: service
ghsa_unreviewed·2022-05-17
CVE-2011-3496 [HIGH] CWE-20 GHSA-3mrg-xv6v-4r9j: service
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) BF, (2) OF, or (3) EF command.
No detection rules found.
Exploit-DB
Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
exploitdb·2011-09-16
CVE-2011-3496 Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
Measuresoft ScadaPro 4.0.0 - Remote Command Execution (Metasploit)
---
##
# $Id: scadapro_cmdexe.rb 13737 2011-09-16 08:23:59Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Measuresoft ScadaPro %q{
This module allows remote attackers to execute arbitray commands on
the affected system by abusing via Directory Traversal attack when using the 'xf'
command (execute function). An attacker can execute system() from msvcrt.dll to
upload a backdoor and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemm
Exploit-DB
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
exploitdb·2011-09-14
CVE-2011-3497 Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Measuresoft ScadaPro
http://www.measuresoft.com/products/scada-products.aspx
Versions: 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0040A118 . 8BC7 MOV EAX,EDI
0040A11A . 2BD7 SUB EDX,EDI
0040A11C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX]
0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
0040A125 . 83C0 01 ADD EAX,1
0040A128 . 84C9 TEST CL,CL
0040A12A .^75 F4 JNZ SHORT service.0040A120
Obviously there are many Denial of Service bugs too.
Then there is full control over the files to read and write and the
possibility to use directory traversal attacks like in the "RF" and
"wF" (the first char is lowe
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.exploit-db.com/exploits/17848http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdfhttp://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.exploit-db.com/exploits/17848http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf
2011-09-16
Published