CVE-2011-4044
published 2012-04-03CVE-2011-4044: An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via…
PriorityP347medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EXPLOIT
EPSS
26.73%
97.8th percentile
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via calls to unknown methods.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcinfo | pcvue | — | — |
| arcinfo | pcvue | — | — |
| arcinfo | pcvue | — | — |
| arcinfo | pcvue | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect calls to SaveObject() or LoadObject() methods on the SV.UIGrdCtrl.1 ActiveX control; a numeric/DWORD argument to these methods is the exploitation primitive (function pointer overwrite). ↗
- →Detect calls to GetExtendedColor() on SVUIGrd.ocx; this method enables an arbitrary DWORD write (write-what-where) to any memory address. ↗
- →Detect calls to DeletePage() on aipgctl.ocx CLSID {083B40D3-CCBA-11D2-AFE0-00C04F7993D6}; out-of-bounds array index leads to code execution. ↗
- →Exploit targets Internet Explorer 6 and 7 only; filter/alert on User-Agent strings matching MSIE 6.x or 7.x requesting pages that instantiate the vulnerable ActiveX CLSIDs. ↗
- →Heap spray uses NOP sled value 0x0a0a0a0a as the return address; memory containing large blocks of 0x0a0a0a0a is a strong indicator of this exploit in a heap dump or network capture. ↗
- →Payload bad characters are \x00, \x0a, \x0d; shellcode in exploit traffic will not contain null bytes, line feeds, or carriage returns — useful for payload carving. ↗
- →Monitor file system for directory traversal patterns in filenames passed to SaveObject()/LoadObject() — the vulnerability allows corrupting or injecting content into arbitrary files via path traversal. ↗
- ·The Metasploit module targets only Internet Explorer 6 and 7 on Windows XP and Vista; other browsers or OS versions are not supported by this exploit module. ↗
- ·The KillBit for CLSID {2BBD45A5-28AE-11D1-ACAC-0800170967D9} is NOT set, meaning the control is instantiable by any web page without additional registry hardening. ↗
- ·No vendor fix was available at time of disclosure; affected versions span PcVue 6.0 through 10.0, FrontVue, and PlantVue. ↗
- ·The file-corruption/injection primitive via SaveObject()/LoadObject() was not fully researched at disclosure time; the full impact of arbitrary content writing was unconfirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)
exploitdb·2011-10-12
CVE-2011-4044 PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)
---
##
# $Id: pcvue_func.rb 13889 2011-10-12 10:57:31Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",
'Description' => %q{
This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.
By setting a dword value for the SaveObject() or LoadObject(), an attacker can
overwrite a function pointer and execute arbitrary code.
},
'License' => MSF_LICENS
Exploit-DB
PcVue 10.0 - Multiple Vulnerabilities
exploitdb·2011-09-27
CVE-2011-4045 PcVue 10.0 - Multiple Vulnerabilities
PcVue 10.0 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: PcVue
http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151
Versions: PcVue <= 10.0
SVUIGrd.ocx <= 1.5.1.0
aipgctl.ocx <= 1.07.3702
Platforms: Windows
Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject
B] write4 in SVUIGrd.ocx GetExtendedColor
C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
D] array overflow in aipgctl.ocx DeletePage
Exploitation: remote
Date: 27 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
##################################################
Metasploit
PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability
metasploit
PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability
PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability
This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0. By setting a dword value for the SaveObject() or LoadObject(), an attacker can overwrite a function pointer and execute arbitrary code.
No writeups or analysis indexed.
http://www.pcvuesolutions.com/index.php?option=com_content&view=article&id=244&Itemid=257http://www.us-cert.gov/control_systems/pdf/ICSA-11-340-01.pdfhttps://support.pcvuescada.com/index.php?option=com_k2&view=item&id=512&Itemid=440http://www.pcvuesolutions.com/index.php?option=com_content&view=article&id=244&Itemid=257http://www.us-cert.gov/control_systems/pdf/ICSA-11-340-01.pdfhttps://support.pcvuescada.com/index.php?option=com_k2&view=item&id=512&Itemid=440
2012-04-03
Published