cbcvebase.
CVE-2011-3499
published 2011-09-16

CVE-2011-3499: Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute…

PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.90%
96.5th percentile
Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an EIDP packet with a large size field, which writes a zero byte to an arbitrary memory location.

Affected

3 ranges
VendorProductVersion rangeFixed in
progeamovicon_powerhmi<= 11.2.1085
progeamovicon_powerhmi
progeamovicon_powerhmi

Detection & IOCsextracted from sources · hover to see the quote

port808/TCP
port12233/TCP
urlhttp://aluigi.org/poc/movicon_3.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-3.dat
urlhttp://aluigi.org/poc/movicon_1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-1.dat
commandnc SERVER 808 < movicon_3.dat
commandnc SERVER 808 < movicon_1.dat
commandudpsz -T -b 0x61 SERVER 808 10000
bytes
c6041100 (mov byte ptr [ecx+edx],0) — null-byte write at address > 0x7fffffff
  • CVE-2011-3499 is triggered via HTTP on port 808/TCP carrying a tunnelled EIDP packet with an oversized size field; monitor for anomalously large EIDP size fields in HTTP traffic destined for port 808.
  • The memory corruption results in a null-byte write at an address above 0x7FFFFFFF; crash telemetry or access-violation logs showing writes to addresses in the 0x80000000+ range from the Movicon process are indicative of exploitation.
  • Public PoC payload files (movicon_1.dat, movicon_3.dat) and the udpsz tool are known to be used against port 808/TCP; detect delivery of these files or execution of udpsz targeting port 808.
  • The EIDP protocol normally operates on port 12233/TCP; exploitation of CVE-2011-3499 routes EIDP packets through port 808/TCP HTTP — EIDP-like traffic on port 808 is anomalous and should be alerted on.
  • ·Exploitation of CVE-2011-3499 via the native EIDP port (12233/TCP) does not appear to work; the bug is only reliably triggered when EIDP packets are tunnelled through the HTTP service on port 808/TCP.
  • ·The null-byte write is constrained to memory addresses above 0x7FFFFFFF, which limits reliable arbitrary-code-execution on 32-bit Windows but may be more impactful in 64-bit environments.
  • ·The vulnerability is only present when the Movicon/PowerHMI software is actively running a project (i.e., the HTTP listener on port 808 is active); deployments not running a project are not exposed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.