cbcvebase.
CVE-2012-0439
published 2013-02-24

CVE-2012-0439: An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.18%
98.4th percentile
An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2) an XPItem pointer argument to an unspecified method.

Affected

6 ranges
VendorProductVersion rangeFixed in
novellgroupwise
novellgroupwise
novellgroupwise
novellgroupwise
novellgroupwise
novellgroupwise

Detection & IOCsextracted from sources · hover to see the quote

filenamegwcls1.dll
other{601D7813-408F-11D1-98D7-444553540000}
commandSetEngine
commandtarget.SetEngine(0x0c0c0c0c-0x20);
filenamegwenv1.dll
versiongwcls1.dll 12.0.0.8586
  • Detect instantiation of the malicious ActiveX control by its CLSID {601D7813-408F-11D1-98D7-444553540000} (GWCalServer) in browser traffic or registry queries.
  • Monitor for calls to the SetEngine method on the gwcls1.dll ActiveX control, especially with pointer-sized integer arguments (e.g. 0x0c0c0c0c-0x20), which is the primary exploitation vector.
  • Detect heap spray patterns targeting address 0x0c0c0c0c in browser processes, which is the shellcode landing address used by this exploit.
  • Alert on IE processes (versions 6.0–9.0) loading gwcls1.dll or gwenv1.dll followed by access violations or unexpected child process spawning (migrate -f post-exploitation).
  • The exploit requires JRE6 to be installed for ASLR bypass on Vista/Windows 7 targets; correlate JRE6 presence with suspicious IE activity involving the GWCalServer ActiveX CLSID.
  • Exploit delivery is via a malicious HTML page served over HTTP; the exploit HTML embeds the ActiveX object and calls SetEngine with a crafted pointer argument using setInterval for repeated triggering.
  • ·The exploit targets only Internet Explorer versions 6.0 through 9.0 on Windows; other browsers are not supported and will receive a 404 response from the Metasploit handler.
  • ·ASLR bypass via ROP requires JRE6 on Vista and Windows 7 targets; without JRE6, exploitation of those platforms will fail.
  • ·Payload bad characters include null bytes (\x00) and space is limited to 1040 bytes; shellcode must be encoded accordingly.
  • ·The module targets gwcls1.dll version 12.0.0.8586 specifically; different DLL versions may have different offsets and ROP gadget locations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.