cbcvebase.
CVE-2012-0198
published 2012-03-06

CVE-2012-0198: Stack-based buffer overflow in the RunAndUploadFile method in the Isig.isigCtl.1 ActiveX control in IBM Tivoli Provisioning Manager Express for Software…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.95%
98.3th percentile
Stack-based buffer overflow in the RunAndUploadFile method in the Isig.isigCtl.1 ActiveX control in IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 allows remote attackers to execute arbitrary code via vectors related to an Asset Information file.

Affected

1 ranges
VendorProductVersion rangeFixed in
ibmtivoli_provisioning_manager_express_for_software_distribution

Detection & IOCsextracted from sources · hover to see the quote

other{84B74E82-3475-420E-9949-773B4FB91771}
url/tpmx/uploadEG2.do
commandRunAndUploadFile
registryIsig.isigCtl.1
other0x7c375a3d
pathisig.dll
  • Detect ActiveX instantiation of the vulnerable control by its CLSID {84B74E82-3475-420E-9949-773B4FB91771} in browser traffic or registry queries.
  • Alert on HTTP requests to the path /tpmx/uploadEG2.do, which is the upload endpoint targeted by the exploit.
  • Monitor for calls to RunAndUploadFile with an oversized 'OtherFields' / 'fields' parameter (offset 161+ bytes) from a browser process, indicative of stack overflow exploitation.
  • Look for the ROP gadget return address 0x7c375a3d (msvcr71.dll stack pivot: mov esp, ebp / pop ebp / ret) on the stack when IE 8 on XP SP3 is targeted.
  • Detect the exploit's default post-exploitation action: a 'migrate -f' process migration via Meterpreter, triggered as InitialAutoRunScript immediately after shell.
  • The exploit targets IE 6–8 on Windows XP SP3 exclusively; restrict or alert on these User-Agent strings accessing pages that instantiate the Isig.isigCtl.1 ActiveX control.
  • ·The stack overflow offset is 161 bytes and is dependent on the length of the literal string 'submit' in the fields parameter; changes to that string alter the required offset.
  • ·The vulnerable function (strcat in isig.dll) is not protected by stack cookies, making EIP control straightforward without bypassing any stack-protection mitigation.
  • ·JavaScript obfuscation of the heap spray is optional (OBFUSCATE option); detection rules based on static JS patterns may miss obfuscated variants.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.