Vulnerabilities > CVE-2011-2217 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Tom Sawyer Software GET Extension Factory Remote Code Execution. CVE-2011-2217. Remote exploit for windows platform |
| id | EDB-ID:19030 |
| last seen | 2016-02-02 |
| modified | 2012-06-10 |
| published | 2012-06-10 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/19030/ |
| title | Tom Sawyer Software GET Extension Factory Remote Code Execution |
Metasploit
| description | This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX. |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/TOM_SAWYER_TSGETX71EX552 |
| last seen | 2020-03-24 |
| modified | 2017-10-05 |
| published | 2012-06-08 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb |
| title | Tom Sawyer Software GET Extension Factory Remote Code Execution |
Nessus
NASL family Misc. NASL id VMWARE_VMSA-2011-0009_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Linux Kernel in the do_anonymous_page() function due to improper separation of the stack and the heap. An attacker can exploit this to execute arbitrary code. (CVE-2010-2240) - A packet filter bypass exists in the Linux Kernel e1000 driver due to processing trailing payload data as a complete frame. A remote attacker can exploit this to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536) - A use-after-free error exists in the Linux Kernel when IPV6_RECVPKTINFO is set on a listening socket. A remote attacker can exploit this, via a SYN packet while the socket is in a listening (TCP_LISTEN) state, to cause a kernel panic, resulting in a denial of service condition. (CVE-2010-1188) - An array index error exists in the Linux Kernel in the gdth_read_event() function. A local attacker can exploit this, via a negative event index in an IOCTL request, to cause a denial of service condition. (CVE-2009-3080) - A race condition exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to gain privileges by mounting a filesystem on top of an arbitrary directory. (CVE-2011-1787) - A flaw exists in the VMware Host Guest File System (HGFS) that allows a Solaris or FreeBSD guest operating system user to modify arbitrary guest operating system files. (CVE-2011-2145) - A flaw exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to disclose host operating system files and directories. (CVE-2011-2146) - A flaw exists in the bundled Tom Sawyer GET Extension Factory that allows a remote attacker to cause a denial of service condition or the execution of arbitrary code via a crafted HTML document. (CVE-2011-2217) last seen 2020-06-01 modified 2020-06-02 plugin id 89678 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89678 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check) NASL family Windows NASL id TOMSAWYER_GET_EXTENSION_FACTORY_ACTIVEX.NASL description Tom Sawyer Software last seen 2020-06-01 modified 2020-06-02 plugin id 54990 published 2011-06-07 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54990 title Tom Sawyer Software GET Extension Factory COM Object Instantiation Memory Corruption NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0009.NASL description a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. b. ESX third-party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user last seen 2020-06-01 modified 2020-06-02 plugin id 54968 published 2011-06-06 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54968 title VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
Packetstorm
data source https://packetstormsecurity.com/files/download/113484/tom_sawyer_tsgetx71ex552.rb.txt id PACKETSTORM:113484 last seen 2016-12-05 published 2012-06-11 reporter rgod source https://packetstormsecurity.com/files/113484/Tom-Sawyer-Software-GET-Extension-Factory-Remote-Code-Execution.html title Tom Sawyer Software GET Extension Factory Remote Code Execution data source https://packetstormsecurity.com/files/download/104882/studioportal-activex.txt id PACKETSTORM:104882 last seen 2016-12-05 published 2011-09-08 reporter rgod source https://packetstormsecurity.com/files/104882/Embarcadero-ER-Studio-XE2-Server-Portal-Code-Execution.html title Embarcadero ER/Studio XE2 Server Portal Code Execution
Saint
| bid | 48099 |
| description | Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption |
| title | tom_sawyer_get_extension_factory_activex |
| type | client |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911
- http://secunia.com/advisories/44826
- http://secunia.com/advisories/44844
- http://securitytracker.com/id?1025602
- http://www.securityfocus.com/bid/48099
- http://www.vmware.com/security/advisories/VMSA-2011-0009.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67816