CVE-2011-5162
published 2012-09-15CVE-2011-5162: Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.85%
93.2th percentile
Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the "ref href" tag. NOTE: this issue exists because of a CVE-2007-0707 regression.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gomlab | gom_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJAIAIABababQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBvz5tz9ptkthtPZOCI95hVsXKliqqVQNR4CUrm4p1pBlSm32qFxhK1dGymgtBT7KaWXZUKNKDhyKwRD3M4kIgjNWcoPbSw2Vg9C8qpkJHPTWONmGWC5QaNrRktfZsLnvqZZxsLOmJlOl5oXmvWpdgKQzmR3pXKuPSPhNy9YXXVpMQ4LknUTeKronnLU5GYH3FKm9oL8bgzRHcEuHN1o6wUn6quYo9Mn7pUEZFjaxMkkkFMvHii3tM7Liz0yTVM6RQeUKceKvqNNsS3OK0Wsr2LKHnMxzpNsL2noxujOJn7khxOO1wuOWnSkXLQ4sNEm3xNK3OwmMDBsKuf5DvgPOlXtwljwJLqruILX8ntLu940wojgQ6kVIPXMNCL8vJnlJeRqcBLELTKLu48sNz8yLFZVo2KNLWPsKw6ZeOBOnuyC1ef0uz7dQOzSrmPFKSZTA↗
- →Trigger condition is a .ASX file containing a long URI value within a 'ref href' tag; monitor file-open events in GOM Player for .ASX files with oversized href attributes. ↗
- →The exploit uses a Unicode-safe (venetian) shellcode encoding pattern beginning with 'PPYAIAIAIAIA'; scan .ASX file content for this byte sequence as a malicious payload indicator. ↗
- →Buffer size of 2046 characters in the href URI triggers the stack overflow; alert on .ASX files where any single attribute value exceeds ~2000 characters. ↗
- →The crafted file is delivered as a .ASX playlist; inspect files with .ASX extension opened by GOM Player (GOM.exe) for anomalously large ref href values. ↗
- ·This vulnerability is a regression of CVE-2007-0707, meaning the same class of .ASX ref href overflow was previously patched and reintroduced; detection rules for CVE-2007-0707 may also apply here. ↗
- ·Exploit was tested only on Windows XP SP2; behaviour on later Windows versions (with ASLR/DEP) may differ and the provided shellcode may not execute reliably. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/47009http://www.exploit-db.com/exploits/18174/http://www.osvdb.org/33080https://exchange.xforce.ibmcloud.com/vulnerabilities/71575http://secunia.com/advisories/47009http://www.exploit-db.com/exploits/18174/http://www.osvdb.org/33080https://exchange.xforce.ibmcloud.com/vulnerabilities/71575
2012-09-15
Published