CVE-2011-2657
published 2012-07-26CVE-2011-2657: Directory traversal vulnerability in the LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control in LaunchHelp.dll in AdminStudio in Novell…
PriorityP263medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
48.37%
98.7th percentile
Directory traversal vulnerability in the LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control in LaunchHelp.dll in AdminStudio in Novell ZENworks Configuration Management (ZCM) 10.2, 10.3, and 11 SP1 allows remote attackers to execute arbitrary commands via a pathname in the first argument.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of the ProgID 'LaunchHelp.HelpLauncher.1' in browser processes (e.g., iexplore.exe), particularly calls to its LaunchProcess method with path arguments containing directory traversal sequences. ↗
- →The Metasploit module targets IE 6 and IE 8 on Windows XP SP3; filter for MSIE User-Agent strings when hunting for exploit delivery traffic. The module explicitly rejects non-MSIE browsers. ↗
- →The exploit drops a randomly named .vbs stager and a randomly named .exe payload into the Windows Temp folder (default C:/Windows/Temp). Hunt for VBScript files spawned from browser processes writing executables to Temp. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning a successful compromise will immediately attempt process migration from the browser. Detect meterpreter process injection following iexplore.exe exploitation. ↗
- →The exploit serves the payload EXE with Content-Type 'application/octet-stream' from the attacker's HTTP server; correlate browser HTTP responses of this type immediately following ActiveX control loading. ↗
- →The stager uses 'Microsoft.XMLHTTP' COM object to download the payload. Monitor for VBScript creating Microsoft.XMLHTTP objects from within the Windows Temp directory context. ↗
- ·The Metasploit module was successfully tested only against AdminStudio 9.5 (LaunchHelp.dll version 9.5.0.0) bundled with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP3. Applicability to other versions/platforms may vary. ↗
- ·Affected ZCM versions are specifically 10.2, 10.3, and 11 SP1; detections and mitigations should be scoped to these versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AdminStudio - 'LaunchHelp.dll' ActiveX Arbitrary Code Execution (Metasploit)
exploitdb·2012-07-11
CVE-2011-2657 AdminStudio - 'LaunchHelp.dll' ActiveX Arbitrary Code Execution (Metasploit)
AdminStudio - 'LaunchHelp.dll' ActiveX Arbitrary Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution',
'Description' => %q{
This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The
LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run
arbitrary commands on the victim machine. This module has been successfully tested with the
ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configurati
Metasploit
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
metasploit
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution
This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.
No writeups or analysis indexed.
2012-07-26
Published