CVE-2012-0266
published 2012-01-15CVE-2012-0266: Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.09%
98.5th percentile
Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl parameter to the StartModule method, (2) a long bstrParams parameter to the Check method, a long bstrUrl parameter to the (3) Download or (4) DownloadModule method during construction of a .ntr pathname, or a long bstrUrl parameter to the (5) Download or (6) DownloadModule method during construction of a URL.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ntrglobal | ntr_activex_control | <= 1.1.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Monitor for instantiation of the NTR ActiveX control by its CLSID {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} in browser processes (e.g., iexplore.exe). ↗
- →Detect calls to the Check() method on the NTR ActiveX control with an abnormally long bstrParams argument, which triggers the strcat-based stack buffer overflow. ↗
- →Look for the heap-spray NOP sled value 0x0c0c0c0c in browser memory or network-delivered JavaScript, indicative of exploitation targeting IE 6/7 on XP/Vista without ROP. ↗
- →Detect the stack-adjustment prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (add esp, -3500) in shellcode delivered via this exploit. ↗
- →Flag use of ROP gadget at 0x77c15ed5 (xchg eax, esp; ret from msvcrt) or 0x7c348b05 (xchg eax, esp; ret from msvcrt71/Java 6) as indicators of DEP/ASLR bypass attempts for this CVE. ↗
- →The exploit URI path is randomized but always ends with 'xp' appended; the URIPATH cannot be modified by the attacker due to the strcat URL construction — use this constraint for network detection. ↗
- →Detect the constructed URL pattern matching ?a=0&d= with a long value in HTTP requests to the exploit server, as this reflects the vulnerable strcat URL format. ↗
- ·The Metasploit module targets NTR ActiveX version 1.1.8.0 specifically; the CVE affects versions before 2.0.4.8, so the ROP offsets and ret addresses listed apply only to 1.1.8.0. ↗
- ·DEP/ASLR bypass via JRE ROP (ret 0x7c348b05 from msvcrt71) requires Java 6 to be installed on the victim; without it, exploitation of Vista/Win7 targets will fail. ↗
- ·The exploit targets Internet Explorer versions 6.0 through 9.0 only; other browsers are explicitly rejected by the module's user-agent check. ↗
- ·The payload offset differs between IE 6–8 (0x5f4) and IE 9 (0x5fe); incorrect target selection will result in failed exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NTR - ActiveX Control 'Check()' Method Buffer Overflow (Metasploit)
exploitdb·2012-10-10
CVE-2012-0266 NTR - ActiveX Control 'Check()' Method Buffer Overflow (Metasploit)
NTR - ActiveX Control 'Check()' Method Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
:method => "Check",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'NTR ActiveX Control Check() Method Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in NTR ActiveX 1.1.8. The
vulnerability exists in th
Metasploit
NTR ActiveX Control Check() Method Buffer Overflow
metasploit
NTR ActiveX Control Check() Method Buffer Overflow
NTR ActiveX Control Check() Method Buffer Overflow
This module exploits a vulnerability found in NTR ActiveX 1.1.8. The vulnerability exists in the Check() method, due to the insecure usage of strcat to build a URL using the bstrParams parameter contents (note: this is also the reason why the module won't allow you to modify the URIPATH), which leads to code execution under the context of the user visiting a malicious web page. In order to bypass DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-01/0074.htmlhttp://osvdb.org/78252http://secunia.com/advisories/45166http://secunia.com/secunia_research/2012-1/http://www.exploit-db.com/exploits/21841https://exchange.xforce.ibmcloud.com/vulnerabilities/72291https://exchange.xforce.ibmcloud.com/vulnerabilities/72292https://exchange.xforce.ibmcloud.com/vulnerabilities/72293http://archives.neohapsis.com/archives/bugtraq/2012-01/0074.htmlhttp://osvdb.org/78252http://secunia.com/advisories/45166http://secunia.com/secunia_research/2012-1/http://www.exploit-db.com/exploits/21841https://exchange.xforce.ibmcloud.com/vulnerabilities/72291https://exchange.xforce.ibmcloud.com/vulnerabilities/72292https://exchange.xforce.ibmcloud.com/vulnerabilities/72293
2012-01-15
Published