cbcvebase.
CVE-2011-2657
published 2012-07-26

CVE-2011-2657: Directory traversal vulnerability in the LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control in LaunchHelp.dll in AdminStudio in Novell…

PriorityP263medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
48.37%
98.7th percentile
Directory traversal vulnerability in the LaunchProcess function in the LaunchHelp.HelpLauncher.1 ActiveX control in LaunchHelp.dll in AdminStudio in Novell ZENworks Configuration Management (ZCM) 10.2, 10.3, and 11 SP1 allows remote attackers to execute arbitrary commands via a pathname in the first argument.

Affected

3 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

filenameLaunchHelp.dll
otherLaunchHelp.HelpLauncher.1
  • Monitor for ActiveX instantiation of the ProgID 'LaunchHelp.HelpLauncher.1' in browser processes (e.g., iexplore.exe), particularly calls to its LaunchProcess method with path arguments containing directory traversal sequences.
  • The Metasploit module targets IE 6 and IE 8 on Windows XP SP3; filter for MSIE User-Agent strings when hunting for exploit delivery traffic. The module explicitly rejects non-MSIE browsers.
  • The exploit drops a randomly named .vbs stager and a randomly named .exe payload into the Windows Temp folder (default C:/Windows/Temp). Hunt for VBScript files spawned from browser processes writing executables to Temp.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning a successful compromise will immediately attempt process migration from the browser. Detect meterpreter process injection following iexplore.exe exploitation.
  • The exploit serves the payload EXE with Content-Type 'application/octet-stream' from the attacker's HTTP server; correlate browser HTTP responses of this type immediately following ActiveX control loading.
  • The stager uses 'Microsoft.XMLHTTP' COM object to download the payload. Monitor for VBScript creating Microsoft.XMLHTTP objects from within the Windows Temp directory context.
  • ·The Metasploit module was successfully tested only against AdminStudio 9.5 (LaunchHelp.dll version 9.5.0.0) bundled with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP3. Applicability to other versions/platforms may vary.
  • ·Affected ZCM versions are specifically 10.2, 10.3, and 11 SP1; detections and mitigations should be scoped to these versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.