CVE-2012-0201
published 2012-03-02CVE-2012-0201: Stack-based buffer overflow in pcspref.dll in pcsws.exe in IBM Personal Communications 5.9.x before 5.9.8 and 6.0.x before 6.0.4 might allow remote attackers…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.18%
98.3th percentile
Stack-based buffer overflow in pcspref.dll in pcsws.exe in IBM Personal Communications 5.9.x before 5.9.8 and 6.0.x before 6.0.4 might allow remote attackers to execute arbitrary code via a long profile string in a WorkStation (aka .ws) file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | personal_communications | — | — |
| ibm | personal_communications | — | — |
| ibm | personal_communications | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x0a\x0d\x3d
- →Monitor for creation or opening of malicious .ws (WorkStation) files by pcsws.exe; a long string value under the 'Profile' header key triggers the overflow in pcspref.dll. ↗
- →The overflow occurs when the 'Profile' header value exceeds 52 characters; the saved return address at stack offset 0x6c is overwritten. Alert on pcsws.exe spawning unexpected child processes or shellcode execution. ↗
- →A valid pointer must be present at stack offset 0x74 (used as an argument for the function called at 0x675751ED in pcspref.dll). Anomalous values at this offset during pcsws.exe execution indicate active exploitation. ↗
- →Payload space is 800 bytes; bad characters \x00, \x0a, \x0d, \x3d are avoided. Scan .ws files for Profile header values exceeding 52 characters and not containing these bytes as a heuristic for exploit payloads. ↗
- ·The Metasploit exploit targets only IBM Personal Communications 5.9 (pcsws.exe version 5090.27271.709 / IBM System i Access for Windows V6R1M0 06.01.0001.0000a). ROP gadget addresses are specific to the non-ASLR IBM DLL versions listed and will not apply to patched (5.9.8+ / 6.0.4+) or differently versioned builds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Personal Communications I-Series Access Workstation 5.9 - Profile (Metasploit)
exploitdb·2012-02-29
CVE-2012-0201 IBM Personal Communications I-Series Access Workstation 5.9 - Profile (Metasploit)
IBM Personal Communications I-Series Access Workstation 5.9 - Profile (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Personal Communications I-Series Access WorkStation 5.9 Profile',
'Description' => %q{
The IBM Personal Communications I-Series application WorkStation is susceptible to a
stack-based buffer overflow vulnerability within file parsing in which data copied to a
location in memory exceeds the size of the reserved destination area. The buffer is located
on the runtime program stack.
When the WorkStation file is
Metasploit
IBM Personal Communications iSeries Access WorkStation 5.9 Profile
metasploit
IBM Personal Communications iSeries Access WorkStation 5.9 Profile
IBM Personal Communications iSeries Access WorkStation 5.9 Profile
The IBM Personal Communications I-Series application WorkStation is susceptible to a stack-based buffer overflow vulnerability within file parsing in which data copied to a location in memory exceeds the size of the reserved destination area. The buffer is located on the runtime program stack. When the WorkStation file is opened it will reach the code path at 0x67575180 located in pcspref.dll which conducts string manipulation and validation on the data supplied in the WorkStation file. The application will first check if 'Profile' header exists and appends a dot with the next parameter within the file. It will then measure the character length of the header by calling strcspn with a dot as its null-terminated character. I
No writeups or analysis indexed.
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/fileformat/ibm_pcm_ws.rbhttp://www-01.ibm.com/support/docview.wss?uid=swg1IC81539http://www-01.ibm.com/support/docview.wss?uid=swg21586166http://www.exploit-db.com/exploits/18539/http://www.metasploit.com/modules/exploit/windows/fileformat/ibm_pcm_wshttp://www.stratsec.net/Research/Advisories/IBM-Personal-Communications-I-Series-Access-WorkSthttps://exchange.xforce.ibmcloud.com/vulnerabilities/73127http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/fileformat/ibm_pcm_ws.rbhttp://www-01.ibm.com/support/docview.wss?uid=swg1IC81539http://www-01.ibm.com/support/docview.wss?uid=swg21586166http://www.exploit-db.com/exploits/18539/http://www.metasploit.com/modules/exploit/windows/fileformat/ibm_pcm_wshttp://www.stratsec.net/Research/Advisories/IBM-Personal-Communications-I-Series-Access-WorkSthttps://exchange.xforce.ibmcloud.com/vulnerabilities/73127
2012-03-02
Published