CVE-2011-4051
published 2011-12-05CVE-2011-4051: CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote…
PriorityP279critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.16%
99.3th percentile
CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| indusoft | web_studio | — | — |
| indusoft | web_studio | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x02\x37 (Command: Select destination / upload initiation)
bytes↗
\x10\x03 (End of packet marker)
bytes↗
\x02\x06\x10\x03 (Successful upload response)
bytes↗
\x14 (Get Application Version command)
bytes↗
\x13 (Get Operating System command)
bytes↗
\x15 (Remove file operation opcode)
- →Monitor for unauthenticated TCP connections to port 4322 targeting CEServer.exe; any connection without a preceding authentication exchange is suspicious. ↗
- →Detect exploit probing by watching for the single-byte 0x14 probe sent to port 4322/TCP, which elicits the InduSoft version banner from CEServer.exe. ↗
- →Detect exploit traffic by matching the upload command byte sequence \x02\x37 at the start of a TCP payload on port 4322. ↗
- →The exploit targets Windows XP and Windows 2003 (pre-Vista) systems; prioritize detection and patching on those OS versions running InduSoft Web Studio 6.1 or 7.0. ↗
- ·The Metasploit module's WMI-based payload execution method (dropping .mof files) only works on Windows pre-Vista; exploitation path differs on Vista and later. ↗
- ·The version check in the exploit distinguishes between InduSoft Web Studio v6.1 (Vulnerable) and other InduSoft versions (Detected), so banner-based detection is version-specific. ↗
- ·CVE-2011-4052 is a separate but related stack buffer overflow in CEServer triggered by the remove file operation (0x15); do not conflate its detection signatures with CVE-2011-4051. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mx3h-2chv-mcx2: CEServer
ghsa_unreviewed·2022-05-17
CVE-2011-4051 [HIGH] CWE-287 GHSA-mx3h-2chv-mcx2: CEServer
CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control.
CISA ICS
InduSoft Web Studio Vulnerabilities
cisa_ics·2014-03-12
InduSoft Web Studio Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
InduSoft Web Studio Vulnerabilities
Last RevisedMarch 12, 2014
Alert CodeICSA-11-319-01
## Overview
ICS-CERT has become aware of a report from the Zero Day Initiative concerning two vulnerabilities in the InduSoft Web Studio software. This information was reported to Zero Day Initiative by independent security researcher Luigi Auriemma.
These vulnerabilities exploit unauthenticated remote code execution within the CEServer Operation and the CEServer.exe directories.
Zero Day Initiative has coordinated with InduSoft, who has produced a patch that mitigates these vulnerabilities
No detection rules found.
Exploit-DB
InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution (Metasploit)
exploitdb·2012-10-10
CVE-2011-4051 InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution (Metasploit)
InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'InduSoft Web Studio Arbitrary Upload Remote Code Execution',
'Description' => %q{
This module exploits a lack of authentication and authorization on the InduSoft
Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to
the filesystem, by abusing the functions provided by the software.
The module uses uses the Windows Management Instrumentation service to execute an
arbitrary payload on vulnerable installati
Exploit-DB
GNU libc/regcomp(3) - Multiple Vulnerabilities
exploitdb·2011-01-07·CVSS 5.0
CVE-2010-4051 [MEDIUM] GNU libc/regcomp(3) - Multiple Vulnerabilities
GNU libc/regcomp(3) - Multiple Vulnerabilities
---
// source: http://securityreason.com/securityalert/8003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ GNU libc/regcomp(3) Multiple Vulnerabilities ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 01.10.2010
- - Pub.: 07.01.2011
CERT: VU#912279
CVE:
CVE-2010-4051
CVE-2010-4052
Affected (tested):
- - Ubuntu 10.10
- - Slackware 13
- - Gentoo 18.10.2010
- - FreeBSD 8.1 (grep(1))
- - NetBSD 5.0.2 (grep(1))
Original URL:
http://securityreason.com/achievement_securityalert/93
Exploit for proftpd:
http://cxib.net/stuff/proftpd.gnu.c
- --- 0.Description ---
The GNU C library is used as the C library in the GNU system and most
systems with the Linux kernel.
# define RE_DUP_MAX (0x7fff)
regc
Metasploit
InduSoft Web Studio Arbitrary Upload Remote Code Execution
metasploit
InduSoft Web Studio Arbitrary Upload Remote Code Execution
InduSoft Web Studio Arbitrary Upload Remote Code Execution
This module exploits a lack of authentication and authorization on the InduSoft Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to the filesystem, by abusing the functions provided by the software. The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows XP SP3 and Windows 2003 SP2.
No writeups or analysis indexed.
http://www.indusoft.com/hotfixes/hotfixes.phphttp://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdfhttp://www.zerodayinitiative.com/advisories/ZDI-11-330/http://www.indusoft.com/hotfixes/hotfixes.phphttp://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdfhttp://www.zerodayinitiative.com/advisories/ZDI-11-330/
2011-12-05
Published