CVE-2012-0439
published 2013-02-24CVE-2012-0439: An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.18%
98.4th percentile
An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2) an XPItem pointer argument to an unspecified method.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | groupwise | — | — |
| novell | groupwise | — | — |
| novell | groupwise | — | — |
| novell | groupwise | — | — |
| novell | groupwise | — | — |
| novell | groupwise | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the malicious ActiveX control by its CLSID {601D7813-408F-11D1-98D7-444553540000} (GWCalServer) in browser traffic or registry queries. ↗
- →Monitor for calls to the SetEngine method on the gwcls1.dll ActiveX control, especially with pointer-sized integer arguments (e.g. 0x0c0c0c0c-0x20), which is the primary exploitation vector. ↗
- →Detect heap spray patterns targeting address 0x0c0c0c0c in browser processes, which is the shellcode landing address used by this exploit. ↗
- →Alert on IE processes (versions 6.0–9.0) loading gwcls1.dll or gwenv1.dll followed by access violations or unexpected child process spawning (migrate -f post-exploitation). ↗
- →The exploit requires JRE6 to be installed for ASLR bypass on Vista/Windows 7 targets; correlate JRE6 presence with suspicious IE activity involving the GWCalServer ActiveX CLSID. ↗
- →Exploit delivery is via a malicious HTML page served over HTTP; the exploit HTML embeds the ActiveX object and calls SetEngine with a crafted pointer argument using setInterval for repeated triggering. ↗
- ·The exploit targets only Internet Explorer versions 6.0 through 9.0 on Windows; other browsers are not supported and will receive a 404 response from the Metasploit handler. ↗
- ·ASLR bypass via ROP requires JRE6 on Vista and Windows 7 targets; without JRE6, exploitation of those platforms will fail. ↗
- ·Payload bad characters include null bytes (\x00) and space is limited to 1040 bytes; shellcode must be encoded accordingly. ↗
- ·The module targets gwcls1.dll version 12.0.0.8586 specifically; different DLL versions may have different offsets and ROP gadget locations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell Groupwise Client - 'gwcls1.dll' ActiveX Remote Code Execution (Metasploit)
exploitdb·2013-02-12
CVE-2012-0439 Novell Groupwise Client - 'gwcls1.dll' ActiveX Remote Code Execution (Metasploit)
Novell Groupwise Client - 'gwcls1.dll' ActiveX Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking,
:classid => "{601D7813-408F-11D1-98D7-444553540000}",
:method => "SetEngine"
})
def initialize(info={})
super(update_info(info,
'Name' => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability in the N
Metasploit
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
metasploit
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass.
No writeups or analysis indexed.
http://www.novell.com/support/kb/doc.php?id=7011688http://www.zerodayinitiative.com/advisories/ZDI-13-008/https://bugzilla.novell.com/show_bug.cgi?id=712144https://bugzilla.novell.com/show_bug.cgi?id=743674http://www.novell.com/support/kb/doc.php?id=7011688http://www.zerodayinitiative.com/advisories/ZDI-13-008/https://bugzilla.novell.com/show_bug.cgi?id=712144https://bugzilla.novell.com/show_bug.cgi?id=743674
2013-02-24
Published