CVE-2012-0549
published 2012-05-03CVE-2012-0549: Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.1.1 allows remote attackers to affect…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.41%
99.0th percentile
Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.1.1 allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | supply_chain_products_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the Oracle AutoVue ActiveX control by its CLSID {B6FCC215-D303-11D1-BC6C-0000C078797F} in browser processes (IE 6–9), particularly followed by a call to the SetMarkupMode method with an oversized sMarkup argument (>1052 bytes). ↗
- →Stack-based buffer overflow occurs at offset 1052 bytes in the sMarkup argument to SetMarkupMode; payloads targeting this CVE will contain a buffer of at least 1052 bytes of padding followed by a return address. ↗
- →Exploit delivery uses heap spray targeting address 0x0c0c0c0c; network/memory forensics should look for this canonical heap-spray address in browser memory or network-delivered JavaScript. ↗
- →Post-exploitation migration is auto-triggered ('migrate -f'); look for iexplore.exe spawning or injecting into unexpected child processes shortly after AutoVue ActiveX instantiation. ↗
- →Exploit is delivered as Content-Type text/html from a web server; the HTML page instantiates the AutoVue ActiveX object and calls SetMarkupMode via a setTimeout callback 100 ms after page load. ↗
- ·DEP and ASLR bypass requires Java 6 to be installed; without Java 6, ROP-based targets (IE 8/9) will not succeed. Detection logic should account for both ROP and non-ROP (classic heap-spray) variants. ↗
- ·The Metasploit module supports an OBFUSCATE option that applies JavaScript obfuscation (JSObfu), which will alter the appearance of the delivered JavaScript payload and may evade signature-based JS detections. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle AutoVue - ActiveX Control SetMarkupMode Buffer Overflow (Metasploit)
exploitdb·2012-08-06
CVE-2012-0549 Oracle AutoVue - ActiveX Control SetMarkupMode Buffer Overflow (Metasploit)
Oracle AutoVue - ActiveX Control SetMarkupMode Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{B6FCC215-D303-11D1-BC6C-0000C078797F}",
:method => "SetMarkupMode",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in the AutoVue.ocx ActiveX
Metasploit
Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow
metasploit
Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow
Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow
This module exploits a vulnerability found in the AutoVue.ocx ActiveX control. The vulnerability, due to the insecure usage of an strcpy like function in the SetMarkupMode method, when handling a specially crafted sMarkup argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page. The module has been successfully tested against Oracle AutoVue Desktop Version 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and ASLR bypass).
No writeups or analysis indexed.
http://secunia.com/advisories/48875http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.htmlhttp://www.securitytracker.com/id?1026937http://secunia.com/advisories/48875http://www.mandriva.com/security/advisories?name=MDVSA-2013:150http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.htmlhttp://www.securitytracker.com/id?1026937
2012-05-03
Published