CVE-2011-3497
published 2011-09-16CVE-2011-3497: service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.75%
99.0th percentile
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an insecure exposed method.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| measuresoft | scadapro | <= 4.0.0 | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
| measuresoft | scadapro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for UDP traffic on port 11234 targeting ScadaPro service.exe; any inbound connection should be treated as suspicious given the port is disabled by default in patched versions. ↗
- →Detect exploitation attempts using the 'XF' command over UDP port 11234, particularly those referencing msvcrt.dll and the system() function for arbitrary command execution. ↗
- →Detect directory traversal patterns in 'RF' and 'wF' commands sent to port 11234/UDP, which can be used to read or write arbitrary files on the target system. ↗
- →Alert on use of 'UF' and 'NF' commands to port 11234/UDP, which can delete files and entire directories on the target. ↗
- →Flag injection of double-quote characters in backup command arguments ('BF', 'OF', 'EF') sent to port 11234/UDP, which can be used to inject commands into mszip or other backup programs. ↗
- →Metasploit module 'exploits/windows/scada/scadapro_cmdexe' targets this vulnerability; detect its use via network signatures or endpoint telemetry showing service.exe spawning child processes. ↗
- ·Port 11234/UDP is the attack vector; in unpatched ScadaPro 4.0.0 and earlier this port is open by default. The fix (v4.0.1) disables it by default, so presence of this port listening is a strong indicator of a vulnerable/misconfigured deployment. ↗
- ·The vulnerability affects ScadaPro Version 4.0.0.0 and earlier; version 4.0.1 contains the fix. Detection rules should scope to systems still running the vulnerable version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Measuresoft ScadaPro Vulnerabilities
cisa_ics·2011-09-13
Measuresoft ScadaPro Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Measuresoft ScadaPro Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-263-01
## Overview
This Advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-04 Measuresoft ScadaPro” that was published September 13, 2011, on the ICS-CERT website.
ICS-CERT is aware of a public report of three vulnerabilities with proof-of-concept (PoC) exploit code affecting Measuresoft ScadaPro. According to the report, the vulnerabilities include a stack buffer overflow, an insecure method call, and a path traversal, which are all remotely exploitable through Port 11234/UDP. This
GHSA
GHSA-2pr9-2h78-r68r: service
ghsa_unreviewed·2022-05-17
CVE-2011-3497 [HIGH] CWE-200 GHSA-2pr9-2h78-r68r: service
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an insecure exposed method.
No detection rules found.
Exploit-DB
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
exploitdb·2011-09-14
CVE-2011-3497 Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
Measuresoft ScadaPro 4.0.0 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Measuresoft ScadaPro
http://www.measuresoft.com/products/scada-products.aspx
Versions: 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0040A118 . 8BC7 MOV EAX,EDI
0040A11A . 2BD7 SUB EDX,EDI
0040A11C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX]
0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
0040A125 . 83C0 01 ADD EAX,1
0040A128 . 84C9 TEST CL,CL
0040A12A .^75 F4 JNZ SHORT service.0040A120
Obviously there are many Denial of Service bugs too.
Then there is full control over the files to read and write and the
possibility to use directory traversal attacks like in the "RF" and
"wF" (the first char is lowe
Metasploit
Measuresoft ScadaPro Remote Command Execution
metasploit
Measuresoft ScadaPro Remote Command Execution
Measuresoft ScadaPro Remote Command Execution
This module allows remote attackers to execute arbitrary commands on the affected system by abusing via Directory Traversal attack when using the 'xf' command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution. This vulnerability affects version 4.0.0 and earlier.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdfhttp://aluigi.altervista.org/adv/scadapro_1-adv.txthttp://securityreason.com/securityalert/8382http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf
2011-09-16
Published