CVE-2011-5001
published 2011-12-25CVE-2011-5001: Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.74%
99.1th percentile
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | control_manager | <= 5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x13\x88
bytes↗
\x15\x09\x13
- →Monitor for inbound TCP connections to port 20101 on hosts running Trend Micro Control Manager; any external or unexpected source connecting to this port should be treated as suspicious. ↗
- →Detect exploit attempts by inspecting TCP/20101 traffic for packets containing the opcode byte sequence \x15\x09\x13 at offset 11 within the IPC packet header. ↗
- →Detect exploit attempts by looking for TCP/20101 packets beginning with \x00\x00\x13\x88 (magic header + declared buffer size of 0x1388 = 5000 bytes), which matches the known Metasploit module payload structure. ↗
- →Alert on large (≥5000 byte) crafted IPC packets sent to CmdProcessor.exe on TCP/20101; the exploit uses a 5000-byte filler to trigger the stack overflow. ↗
- →Look for ROP chain artifacts in memory or network payload: the exploit uses TmUpdate.dll gadgets and a VirtualAlloc IAT pointer (0x6686115c) to bypass DEP on Windows 2003 SP2. ↗
- ·The ROP chain and return address (0x666b34c8 stack pivot in TMNotify.dll) are hardcoded for Windows 2003 Server SP2 only; the exploit explicitly notes TCM 5.5 cannot be installed on Win2k3 SP0-SP1, Win2k8, or XP, limiting the target surface. ↗
- ·The vulnerable 256-byte stack buffer is only reachable via a specially crafted IPC packet; null bytes (\x00) are bad characters and must be avoided in shellcode. ↗
- ·The vulnerability is fixed in Trend Micro Control Manager 5.5 Build 1613 and later; detection rules targeting CmdProcessor.exe on TCP/20101 are only relevant for pre-1613 builds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro Control Manger 5.5 - 'CmdProcessor.exe' Remote Stack Buffer Overflow (Metasploit)
exploitdb·2012-02-23
CVE-2011-5001 Trend Micro Control Manger 5.5 - 'CmdProcessor.exe' Remote Stack Buffer Overflow (Metasploit)
Trend Micro Control Manger 5.5 - 'CmdProcessor.exe' Remote Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "TrendMicro Control Manger %q{
This module exploits a vulnerability in the CmdProcessor.exe component of Trend
Micro Control Manger up to version 5.5.
The specific flaw exists within CmdProcessor.exe service running on TCP port
20101. The vulnerable function is the CGenericScheduler::AddTask function of
cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,
controlled data i
Metasploit
TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
metasploit
TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
This module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manger up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user.
No writeups or analysis indexed.
http://secunia.com/advisories/47114http://www.securityfocus.com/archive/1/520780/100/0/threadedhttp://www.securitytracker.com/id?1026390http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1613.txthttp://www.zerodayinitiative.com/advisories/ZDI-11-345/https://exchange.xforce.ibmcloud.com/vulnerabilities/71681http://secunia.com/advisories/47114http://www.securityfocus.com/archive/1/520780/100/0/threadedhttp://www.securitytracker.com/id?1026390http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1613.txthttp://www.zerodayinitiative.com/advisories/ZDI-11-345/https://exchange.xforce.ibmcloud.com/vulnerabilities/71681
2011-12-25
Published