cbcvebase.
CVE-2012-0201
published 2012-03-02

CVE-2012-0201: Stack-based buffer overflow in pcspref.dll in pcsws.exe in IBM Personal Communications 5.9.x before 5.9.8 and 6.0.x before 6.0.4 might allow remote attackers…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.18%
98.3th percentile
Stack-based buffer overflow in pcspref.dll in pcsws.exe in IBM Personal Communications 5.9.x before 5.9.8 and 6.0.x before 6.0.4 might allow remote attackers to execute arbitrary code via a long profile string in a WorkStation (aka .ws) file.

Affected

3 ranges
VendorProductVersion rangeFixed in
ibmpersonal_communications
ibmpersonal_communications
ibmpersonal_communications

Detection & IOCsextracted from sources · hover to see the quote

filenamepcspref.dll
filenamepcsws.exe
path0x67575180
commandROP gadget 0X641A1EE2 (cwbcore.dll) - Removes 0XFFFFFFF0 from stack to EAX
commandROP gadget 0X7C801AD4 (kernel32.VirtualProtect, XP SP3)
commandROP gadget 0X63B08084 (kernel32.terminateprocess IAT pointer)
commandROP gadget 0X67A85090 (&Writable location)
bytes
BadChars: \x00\x0a\x0d\x3d
  • Monitor for creation or opening of malicious .ws (WorkStation) files by pcsws.exe; a long string value under the 'Profile' header key triggers the overflow in pcspref.dll.
  • The overflow occurs when the 'Profile' header value exceeds 52 characters; the saved return address at stack offset 0x6c is overwritten. Alert on pcsws.exe spawning unexpected child processes or shellcode execution.
  • A valid pointer must be present at stack offset 0x74 (used as an argument for the function called at 0x675751ED in pcspref.dll). Anomalous values at this offset during pcsws.exe execution indicate active exploitation.
  • Payload space is 800 bytes; bad characters \x00, \x0a, \x0d, \x3d are avoided. Scan .ws files for Profile header values exceeding 52 characters and not containing these bytes as a heuristic for exploit payloads.
  • ·The Metasploit exploit targets only IBM Personal Communications 5.9 (pcsws.exe version 5090.27271.709 / IBM System i Access for Windows V6R1M0 06.01.0001.0000a). ROP gadget addresses are specific to the non-ASLR IBM DLL versions listed and will not apply to patched (5.9.8+ / 6.0.4+) or differently versioned builds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.