CVE-2012-0284
published 2012-07-19CVE-2012-0284: Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.32%
98.3th percentile
Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | linksys_playerpt_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by its CLSID {9E065E4A-BD9D-4547-8F90-985DC62A5591} in web pages or registry; exploitation occurs via the SetSource method with an oversized sURL argument. ↗
- →The exploit triggers a stack-based buffer overflow via msvcrt.sprintf inside the SetSource method; look for abnormally long URL strings passed as the first argument to SetSource in browser process memory or network traffic. ↗
- →Exploitation targets Internet Explorer versions 6.0 through 9.0 on Windows; browser user-agent matching NT 5.1/6.0/6.1 with MSIE 6-9 is used by the Metasploit module to select the appropriate ROP chain. ↗
- →For IE 8 on Windows XP SP3, the exploit uses a ROP pivot via msvcrt at 0x77c3546b (ret), 0x77c3546a (pop ebp; ret), and 0x77c35468 (mov esp,ebp; pop ebp; ret); presence of these ROP gadget addresses on the stack is a strong exploit indicator. ↗
- →For JRE-assisted targets, the exploit uses ROP gadgets from msvcr71.dll at 0x7c3424f2 (ret), 0x7c3424f1 (pop ebp; ret), and 0x7c3424ef (mov esp,ebp; pop ebp; ret); these addresses on the stack indicate exploitation attempts against IE 8/9 with Java 6. ↗
- →Heap spray uses 0x0c0c0c0c as the return address for IE 6 and IE 7 targets; detection of this value as an EIP/return address in crash dumps or memory scans indicates exploitation of this vulnerability. ↗
- ·The Metasploit module targets only Internet Explorer 6.0–9.0 on Windows; other browsers are explicitly rejected by the module's user-agent check. ↗
- ·The vulnerable component (PlayerPT.ocx version 1.0.0.15) is installed as part of the Cisco WVC200 camera's web interface; the ActiveX control must be present on the victim's Windows system for exploitation to succeed. ↗
- ·The Metasploit module's payload space is limited to 1024 bytes with NOPs disabled; payloads exceeding this size will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cisco Linksys PlayerPT - ActiveX Control SetSource sURL argument Buffer Overflow (Metasploit)
exploitdb·2012-08-03
CVE-2012-0284 Cisco Linksys PlayerPT - ActiveX Control SetSource sURL argument Buffer Overflow (Metasploit)
Cisco Linksys PlayerPT - ActiveX Control SetSource sURL argument Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
:method => "SetSource",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability
Exploit-DB
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)
exploitdb·2012-03-22
CVE-2012-0284 Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)
---
] ; msvcrt.sprintf
03238246 52 push edx
03238247 8D8C24 EC020000 lea ecx,dword ptr ss:[esp+2EC]
0323824E 68 48612603 push PlayerPT.03266148 ; ASCII "%s"
03238253 51 push ecx
03238254 FFD7 call edi
var x="";
for (i=0; i
Metasploit
Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow
metasploit
Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow
Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.
Metasploit
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow
metasploit
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-07/0113.htmlhttp://secunia.com/secunia_research/2012-25/http://www.securityfocus.com/bid/54588http://www.securitytracker.com/id?1027259https://exchange.xforce.ibmcloud.com/vulnerabilities/77085http://archives.neohapsis.com/archives/bugtraq/2012-07/0113.htmlhttp://secunia.com/secunia_research/2012-25/http://www.securityfocus.com/bid/54588http://www.securitytracker.com/id?1027259https://exchange.xforce.ibmcloud.com/vulnerabilities/77085
2012-07-19
Published