cbcvebase.
CVE-2012-0549
published 2012-05-03

CVE-2012-0549: Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.1.1 allows remote attackers to affect…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.41%
99.0th percentile
Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.1.1 allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclesupply_chain_products_suite

Detection & IOCsextracted from sources · hover to see the quote

other{B6FCC215-D303-11D1-BC6C-0000C078797F}
filenameAutoVue.ocx
commandSetMarkupMode
versionAutoVue.ocx 20.0.0.7330
  • Monitor for instantiation of the Oracle AutoVue ActiveX control by its CLSID {B6FCC215-D303-11D1-BC6C-0000C078797F} in browser processes (IE 6–9), particularly followed by a call to the SetMarkupMode method with an oversized sMarkup argument (>1052 bytes).
  • Stack-based buffer overflow occurs at offset 1052 bytes in the sMarkup argument to SetMarkupMode; payloads targeting this CVE will contain a buffer of at least 1052 bytes of padding followed by a return address.
  • Exploit delivery uses heap spray targeting address 0x0c0c0c0c; network/memory forensics should look for this canonical heap-spray address in browser memory or network-delivered JavaScript.
  • Post-exploitation migration is auto-triggered ('migrate -f'); look for iexplore.exe spawning or injecting into unexpected child processes shortly after AutoVue ActiveX instantiation.
  • Exploit is delivered as Content-Type text/html from a web server; the HTML page instantiates the AutoVue ActiveX object and calls SetMarkupMode via a setTimeout callback 100 ms after page load.
  • ·DEP and ASLR bypass requires Java 6 to be installed; without Java 6, ROP-based targets (IE 8/9) will not succeed. Detection logic should account for both ROP and non-ROP (classic heap-spray) variants.
  • ·The Metasploit module supports an OBFUSCATE option that applies JavaScript obfuscation (JSObfu), which will alter the appearance of the delivered JavaScript payload and may evade signature-based JS detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.