cbcvebase.
CVE-2011-4529
published 2012-01-08

CVE-2011-4529: Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long…

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
7.16%
93.5th percentile
Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long serialid field in an _licensekey command, as demonstrated by the (1) check_licensekey or (2) read_licensekey command.

Affected

1 ranges
VendorProductVersion rangeFixed in
siemensautomation_license_manager<= 5.1

Detection & IOCsextracted from sources · hover to see the quote

port4410
urlhttp://aluigi.org/poc/almsrvx_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18165.zip
filenamealmaxcx.dll
otherALMListView.ALMListCtrl E57AF4A2-EF57-41D0-8512-FECDA78F1FE7
commandcheck_licensekey
commandread_licensekey
  • Monitor for oversized `serialid` field values in `_licensekey` family commands (check_licensekey, read_licensekey) sent over TCP port 4410 to ALM service — these indicate buffer overflow exploitation attempts.
  • Alert on any network traffic to TCP port 4410 from untrusted/external sources; ALM should only be reachable from trusted internal hosts.
  • Detect loading or instantiation of the ActiveX CLSID E57AF4A2-EF57-41D0-8512-FECDA78F1FE7 (ALMListView.ALMListCtrl) from Internet Explorer, which may indicate exploitation of the improper input validation / file overwrite vulnerability.
  • Monitor for get_target_ocx_param and send_target_ocx_param commands on TCP 4410 which trigger a NULL pointer dereference (CVE-2011-4531) and can cause denial of service.
  • ·The buffer overflow affects ALM versions 4.0 through 5.1+SP1+Upd1 only; the improper input validation (ActiveX) vulnerability has a wider affected range of versions 2.0 through 5.1+SP1+Upd2.
  • ·On some systems the NULL pointer and exception conditions do not cause immediate denial of service but leave thread resources active, so absence of a crash does not confirm the system is unaffected.
  • ·The file-overwrite primitive via almaxcx.dll Save method writes only 2 bytes (\r\n); code execution via content control was not confirmed by the researcher.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.