VIR Vulnerability Intelligence Relay

CVE-2011-4042

critical
Published 2012-04-03 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code by using a crafted HTML document to obtain control of a function pointer.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-17896 dos windows verified text ยท 4 KB
Luigi Auriemma ยท 2011-09-27

PcVue 10.0 - Multiple Vulnerabilities

text exploit Source: Exploit-DB 
#######################################################################

                             Luigi Auriemma

Application:  PcVue
              http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151
Versions:     PcVue       <= 10.0
              SVUIGrd.ocx <= 1.5.1.0
              aipgctl.ocx <= 1.07.3702
Platforms:    Windows
Bugs:         A] code execution in SVUIGrd.ocx Save/LoadObject
              B] write4 in SVUIGrd.ocx GetExtendedColor
              C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
              D] array overflow in aipgctl.ocx DeletePage
Exploitation: remote
Date:         27 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"PcVue is a new generation of SCADA software. It is characterised by
modern ergonomics and by tools based on object technology to reduce and
optimise applications development."


#######################################################################

=======
2) Bugs
=======

------------------------------------------------
A] code execution in SVUIGrd.ocx Save/LoadObject
------------------------------------------------

The aStream number of SaveObject and LoadObject methods available in
SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
function pointer:

  02695b9d 8b00            mov     eax,dword ptr [eax]  ; controlled
  02695b9f ff5004          call    dword ptr [eax+4]    ; execution


-----------------------------------------
B] write4 in SVUIGrd.ocx GetExtendedColor
-----------------------------------------

Through the GetExtendedColor method of SVUIGrd.ocx it's possible to
write a dword in an arbitrary memory location:

  02198e36 8902            mov     dword ptr [edx],eax  ; controlled


---------------------------------------------------------------------
C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
---------------------------------------------------------------------

The SaveObject allow to specify the name of the file to save while
LoadObject the one to load.
I have not performed additional research so for the moment the only
thing I have seen is the possibility of corrupting the files in the
system via directory traversal attacks.
I suspect that it's probable the possibility of writing custom content
but it has not been proved or verified.


-------------------------------------------
D] array overflow in aipgctl.ocx DeletePage
-------------------------------------------

Array overflow in the DeletePage method of the ActiveX component
aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6):

  10013852 8b0cb8          mov     ecx,dword ptr [eax+edi*4]
  10013855 85c9            test    ecx,ecx
  10013857 7407            je      aipgctl+0x13860 (10013860)
  10013859 8b11            mov     edx,dword ptr [ecx]
  1001385b 6a01            push    1
  1001385d ff5204          call    dword ptr [edx+4]    ; execution


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/pcvue_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Application impact
VendorProductVersionsFixed
arcinfofrontvue
arcinfopcvue6.0
arcinfopcvue8.2
arcinfopcvue9.0
arcinfopcvue10.0
arcinfoplantvue

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.