CVE-2012-0198
published 2012-03-06CVE-2012-0198: Stack-based buffer overflow in the RunAndUploadFile method in the Isig.isigCtl.1 ActiveX control in IBM Tivoli Provisioning Manager Express for Software…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.95%
98.3th percentile
Stack-based buffer overflow in the RunAndUploadFile method in the Isig.isigCtl.1 ActiveX control in IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 allows remote attackers to execute arbitrary code via vectors related to an Asset Information file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_provisioning_manager_express_for_software_distribution | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of the vulnerable control by its CLSID {84B74E82-3475-420E-9949-773B4FB91771} in browser traffic or registry queries. ↗
- →Alert on HTTP requests to the path /tpmx/uploadEG2.do, which is the upload endpoint targeted by the exploit. ↗
- →Monitor for calls to RunAndUploadFile with an oversized 'OtherFields' / 'fields' parameter (offset 161+ bytes) from a browser process, indicative of stack overflow exploitation. ↗
- →Look for the ROP gadget return address 0x7c375a3d (msvcr71.dll stack pivot: mov esp, ebp / pop ebp / ret) on the stack when IE 8 on XP SP3 is targeted. ↗
- →Detect the exploit's default post-exploitation action: a 'migrate -f' process migration via Meterpreter, triggered as InitialAutoRunScript immediately after shell. ↗
- →The exploit targets IE 6–8 on Windows XP SP3 exclusively; restrict or alert on these User-Agent strings accessing pages that instantiate the Isig.isigCtl.1 ActiveX control. ↗
- ·The stack overflow offset is 161 bytes and is dependent on the length of the literal string 'submit' in the fields parameter; changes to that string alter the required offset. ↗
- ·The vulnerable function (strcat in isig.dll) is not protected by stack cookies, making EIP control straightforward without bypassing any stack-protection mitigation. ↗
- ·JavaScript obfuscation of the heap spray is optional (OBFUSCATE option); detection rules based on static JS patterns may miss obfuscated variants. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-56fg-wq4g-g6jp: Stack-based buffer overflow in the RunAndUploadFile method in the Isig
ghsa_unreviewed·2022-05-04
CVE-2012-0198 [HIGH] GHSA-56fg-wq4g-g6jp: Stack-based buffer overflow in the RunAndUploadFile method in the Isig
Stack-based buffer overflow in the RunAndUploadFile method in the Isig.isigCtl.1 ActiveX control in IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 allows remote attackers to execute arbitrary code via vectors related to an Asset Information file.
Red Hat
dnsmasq: Incomplete fix for the CVE-2012-3411 issue
vendor_redhat·2013-01-11·CVSS 5.0
CVE-2013-0198 [MEDIUM] dnsmasq: Incomplete fix for the CVE-2012-3411 issue
dnsmasq: Incomplete fix for the CVE-2012-3411 issue
Dnsmasq before 2.66test2, when used with certain libvirt configurations, replies to queries from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via spoofed TCP based DNS queries. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3411.
Statement: Not vulnerable. This issue did not affect the versions of dnsmasq as shipped with Red Hat Enterprise Linux 5 and 6.
Package: dnsmasq (Red Hat Enterprise Linux 5) - Not affected
Package: dnsmasq (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
Exploit-DB
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow (Metasploit)
exploitdb·2012-04-10
CVE-2012-0198 IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow (Metasploit)
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:rank => NormalRanking,
:classid => "{84B74E82-3475-420E-9949-773B4FB91771}",
:vuln_test => "RunAndUploadFile",
})
def initialize(info={})
super(update_info(info,
'Name' => "IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 Activ
Metasploit
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow
metasploit
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow
IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 ActiveX RunAndUploadFile() Method Overflow
This module exploits a buffer overflow vulnerability in the Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1. The vulnerability is found in the "RunAndUploadFile" method where the "OtherFields" parameter with user controlled data is used to build a "Content-Disposition" header and attach contents in an insecure way which allows to overflow a buffer in the stack.
No writeups or analysis indexed.
2012-03-06
Published