cbcvebase.
CVE-2011-5001
published 2011-12-25

CVE-2011-5001: Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.74%
99.1th percentile
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.

Affected

1 ranges
VendorProductVersion rangeFixed in
trend_microcontrol_manager<= 5.5

Detection & IOCsextracted from sources · hover to see the quote

portTCP/20101
filenamecmdHandlerRedAlertController.dll
processCmdProcessor.exe
urlhttp://www.zerodayinitiative.com/advisories/ZDI-11-345/
bytes
\x00\x00\x13\x88
bytes
\x15\x09\x13
  • Monitor for inbound TCP connections to port 20101 on hosts running Trend Micro Control Manager; any external or unexpected source connecting to this port should be treated as suspicious.
  • Detect exploit attempts by inspecting TCP/20101 traffic for packets containing the opcode byte sequence \x15\x09\x13 at offset 11 within the IPC packet header.
  • Detect exploit attempts by looking for TCP/20101 packets beginning with \x00\x00\x13\x88 (magic header + declared buffer size of 0x1388 = 5000 bytes), which matches the known Metasploit module payload structure.
  • Alert on large (≥5000 byte) crafted IPC packets sent to CmdProcessor.exe on TCP/20101; the exploit uses a 5000-byte filler to trigger the stack overflow.
  • Look for ROP chain artifacts in memory or network payload: the exploit uses TmUpdate.dll gadgets and a VirtualAlloc IAT pointer (0x6686115c) to bypass DEP on Windows 2003 SP2.
  • ·The ROP chain and return address (0x666b34c8 stack pivot in TMNotify.dll) are hardcoded for Windows 2003 Server SP2 only; the exploit explicitly notes TCM 5.5 cannot be installed on Win2k3 SP0-SP1, Win2k8, or XP, limiting the target surface.
  • ·The vulnerable 256-byte stack buffer is only reachable via a specially crafted IPC packet; null bytes (\x00) are bad characters and must be avoided in shellcode.
  • ·The vulnerability is fixed in Trend Micro Control Manager 5.5 Build 1613 and later; detection rules targeting CmdProcessor.exe on TCP/20101 are only relevant for pre-1613 builds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.