cbcvebase.
CVE-2011-5167
published 2012-09-15

CVE-2011-5167: Heap-based buffer overflow in the SetDevNames method of the Tidestone Formula One ActiveX control (TTF16.ocx) 6.3.5 Build 1 in Oracle Hyperion Strategic…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.76%
94.9th percentile
Heap-based buffer overflow in the SetDevNames method of the Tidestone Formula One ActiveX control (TTF16.ocx) 6.3.5 Build 1 in Oracle Hyperion Strategic Finance 12.x and possibly earlier allows remote attackers to execute arbitrary code via a long string to the DriverName parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
oraclehyperion_strategic_finance<= 12.0
oraclehyperion_strategic_finance
tidestoneformula_one_activex_control

Detection & IOCsextracted from sources · hover to see the quote

filenameTTF16.ocx
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a
  • The vulnerable method is SetDevNames on the TTF16.ocx ActiveX control. Monitor for instantiation of this ActiveX control (CLSID lookup for TTF16.ocx) in browser processes, especially with unusually long strings passed to the DriverName parameter.
  • Exploit uses a heap spray with a fixed block size of 0x20000 bytes. Detect large repeated allocations of this size in browser heap memory consistent with JavaScript-based heap spraying targeting Internet Explorer.
  • The shellcode embedded in the heap spray adds a local Administrator account with username 'sun' and password 'tzu'. Monitor for unexpected local account creation events (Windows Event ID 4720) with these credentials post-exploitation.
  • The exploit targets a finalsize of 1200 bytes for the overflow payload. Network-level detection should flag HTTP responses delivering JavaScript that instantiates TTF16.ocx with DriverName parameters exceeding normal length bounds.
  • ·The exploit targets Oracle Hyperion Strategic Finance version 12.x and possibly earlier builds of TTF16.ocx version 6.3.5 Build 1. Versions outside this range may not be vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.