CVE-2011-4520
published 2013-05-23CVE-2011-4520: Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
2.34%
81.5th percentile
Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsys | promotic | <= 8.1.4 | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
| microsys | promotic | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92hc-v7h5-rqc5: Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8
ghsa_unreviewed·2022-05-17
CVE-2011-4520 [MEDIUM] CWE-119 GHSA-92hc-v7h5-rqc5: Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8
Heap-based buffer overflow in an ActiveX component in MICROSYS PROMOTIC before 8.1.5 allows remote attackers to cause a denial of service via a crafted web page.
CISA ICS
MICROSYS PROMOTIC Vulnerabilities
cisa_ics·2018-09-06
MICROSYS PROMOTIC Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
MICROSYS PROMOTIC Vulnerabilities
Last RevisedSeptember 06, 2018
Alert Code ICSA-12-024-02
## Overview
This advisory is a follow-up to ICS-ALERT-11-286-01 - MICROSYS PROMOTIC Vulnerabilities, released to the ICS-CERT Web page on October 12, 2011.
Independent researcher Luigi Auriemma has identified and released three vulnerabilities in MICROSYS, spol. s r.o. PROMOTIC application without coordination with ICS-CERT, the vendor, or any other known coordinating entity. The vulnerabilities include directory traversal, ActiveX heap overflow, and ActiveX stack overflow vulnerabilities
No detection rules found.
Exploit-DB
Microsys PROMOTIC 8.1.4 - ActiveX GetPromoticSite Unitialized Pointer
exploitdb·2011-10-13
CVE-2011-4520 Microsys PROMOTIC 8.1.4 - ActiveX GetPromoticSite Unitialized Pointer
Microsys PROMOTIC 8.1.4 - ActiveX GetPromoticSite Unitialized Pointer
---
#######################################################################
Luigi Auriemma
Application: Microsys PROMOTIC
http://www.promotic.eu/en/promotic/scada-pm.htm
Versions: 8.1.4
Platforms: Windows
Bug: ActiveX GetPromoticSite unitialized pointer
Exploitation: remote
Date: 30 Oct 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
1) Introduction
From vendor's website:
"PROMOTIC is a complex SCADA object software tool for creating
applications that monitor, control and display technological process
Exploit-DB
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption (MS11-035)
exploitdb·2011-09-13
CVE-2011-1248 Microsoft WINS Service 5.2.3790.4520 - Memory Corruption (MS11-035)
Microsoft WINS Service 5.2.3790.4520 - Memory Corruption (MS11-035)
---
#######################################################################
Luigi Auriemma
Application: Microsoft WINS service
http://www.microsoft.com
Versions: 01013E7B . E8 0A0A0000 CALL 0101488A ; \wins.0101488A (send packet)
01013E80 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01013E84 . EB 0E JMP SHORT 01013E94
01013E86 . 33C0 XOR EAX,EAX ; arrives here after RaiseException
01013E88 . 40 INC EAX
01013E89 . C3 RETN
> 01013E8A . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18] ; after "CALL EAX" in msvcrt the code flow arrives here
01013E8D . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01013E91 . 8B7D B4 MOV EDI,DWORD PTR SS:[EBP-4C]
01013E94 . 57 PUSH EDI ; /Arg1 (0x2c000000)
01013E95 . E8 240D0000 CALL 01014BBE ; \wins.01
No writeups or analysis indexed.
2013-05-23
Published