cbcvebase.
CVE-2011-4042
published 2012-04-03

CVE-2011-4042: An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary…

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.45%
92.9th percentile
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code by using a crafted HTML document to obtain control of a function pointer.

Affected

4 ranges
VendorProductVersion rangeFixed in
arcinfopcvue
arcinfopcvue
arcinfopcvue
arcinfopcvue

Detection & IOCsextracted from sources · hover to see the quote

filenameSVUIGrd.ocx
otherCLSID:2BBD45A5-28AE-11D1-ACAC-0800170967D9
filenameaipgctl.ocx
otherCLSID:083B40D3-CCBA-11D2-AFE0-00C04F7993D6
urlhttp://aluigi.org/poc/pcvue_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip
bytes
8b00 ff5004 (mov eax,[eax]; call [eax+4]) at offset 02695b9d in SVUIGrd.ocx
bytes
8902 (mov [edx],eax) at offset 02198e36 in SVUIGrd.ocx
  • Monitor for instantiation of ActiveX CLSIDs 2BBD45A5-28AE-11D1-ACAC-0800170967D9 (SVUIGrd.ocx) and 083B40D3-CCBA-11D2-AFE0-00C04F7993D6 (aipgctl.ocx) from within browser processes (e.g., iexplore.exe), which may indicate exploitation via a crafted HTML document.
  • The vulnerable SaveObject/LoadObject methods in SVUIGrd.ocx use the aStream parameter directly as a function pointer; detect calls to these methods with attacker-controlled numeric arguments from untrusted HTML contexts.
  • The GetExtendedColor method of SVUIGrd.ocx enables an arbitrary 4-byte memory write (write-what-where); monitor for abnormal memory write patterns originating from SVUIGrd.ocx loaded in browser processes.
  • The SaveObject/LoadObject methods accept a filename parameter susceptible to directory traversal; monitor file system activity from SVUIGrd.ocx for writes/reads outside expected directories using path sequences such as '../'.
  • The DeletePage method of aipgctl.ocx (CLSID 083B40D3-CCBA-11D2-AFE0-00C04F7993D6) is vulnerable to an array overflow leading to code execution; detect invocation of DeletePage with out-of-bounds index values from browser/HTML contexts.
  • Exploitation requires social engineering to lure a target to a malicious site or open a crafted HTML e-mail; the affected software does not need to be running for the vulnerability to be exploited.
  • ·SVUIGrd.ocx version 1.5.1.0 and aipgctl.ocx version 1.07.3702 are the confirmed vulnerable versions; versions of SVUIGrd.ocx beyond 1.5.1.0 may not be affected.
  • ·Public PoC exploit code exists for these vulnerabilities, lowering the bar for exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.