cbcvebase.
CVE-2011-4044
published 2012-04-03

CVE-2011-4044: An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via…

PriorityP347medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EXPLOIT
EPSS
26.73%
97.8th percentile
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via calls to unknown methods.

Affected

4 ranges
VendorProductVersion rangeFixed in
arcinfopcvue
arcinfopcvue
arcinfopcvue
arcinfopcvue

Detection & IOCsextracted from sources · hover to see the quote

filenameSVUIGrd.ocx
filenameaipgctl.ocx
other{2BBD45A5-28AE-11D1-ACAC-0800170967D9}
other{083B40D3-CCBA-11D2-AFE0-00C04F7993D6}
otherSV.UIGrdCtrl.1
urlhttp://aluigi.org/poc/pcvue_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip
  • Detect calls to SaveObject() or LoadObject() methods on the SV.UIGrdCtrl.1 ActiveX control; a numeric/DWORD argument to these methods is the exploitation primitive (function pointer overwrite).
  • Detect calls to GetExtendedColor() on SVUIGrd.ocx; this method enables an arbitrary DWORD write (write-what-where) to any memory address.
  • Detect calls to DeletePage() on aipgctl.ocx CLSID {083B40D3-CCBA-11D2-AFE0-00C04F7993D6}; out-of-bounds array index leads to code execution.
  • Exploit targets Internet Explorer 6 and 7 only; filter/alert on User-Agent strings matching MSIE 6.x or 7.x requesting pages that instantiate the vulnerable ActiveX CLSIDs.
  • Heap spray uses NOP sled value 0x0a0a0a0a as the return address; memory containing large blocks of 0x0a0a0a0a is a strong indicator of this exploit in a heap dump or network capture.
  • Payload bad characters are \x00, \x0a, \x0d; shellcode in exploit traffic will not contain null bytes, line feeds, or carriage returns — useful for payload carving.
  • Monitor file system for directory traversal patterns in filenames passed to SaveObject()/LoadObject() — the vulnerability allows corrupting or injecting content into arbitrary files via path traversal.
  • ·The Metasploit module targets only Internet Explorer 6 and 7 on Windows XP and Vista; other browsers or OS versions are not supported by this exploit module.
  • ·The KillBit for CLSID {2BBD45A5-28AE-11D1-ACAC-0800170967D9} is NOT set, meaning the control is instantiable by any web page without additional registry hardening.
  • ·No vendor fix was available at time of disclosure; affected versions span PcVue 6.0 through 10.0, FrontVue, and PlantVue.
  • ·The file-corruption/injection primitive via SaveObject()/LoadObject() was not fully researched at disclosure time; the full impact of arbitrary content writing was unconfirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.