CVE-2012-0708
published 2012-04-22CVE-2012-0708: Heap-based buffer overflow in the Ole API in the CQOle ActiveX control in cqole.dll in IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.95%
98.0th percentile
Heap-based buffer overflow in the Ole API in the CQOle ActiveX control in cqole.dll in IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and 8.0.0 before 8.0.0.2 allows remote attackers to execute arbitrary code via a crafted web page that leverages a RegisterSchemaRepoFromFileByDbSet function-prototype mismatch.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
| ibm | rational_clearquest | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for instantiation of the CQOle ActiveX control (CLSID {94773112-72E8-11D0-A42E-00A024DED613}) in a browser context, particularly when followed by a call to RegisterSchemaRepoFromFileByDbSet. ↗
- →The exploit requires DEP to be disabled on the target; detections or mitigations enforcing DEP will prevent reliable code execution via the stack-pivot ret gadget in MFC80U!_AfxDispatchCall. ↗
- →The function prototype mismatch causes RegisterSchemaRepoFromFile (retn 4) to execute instead of RegisterSchemaRepoFromFileByDbSet (retn 8), leaving ESP pointing to the attacker-controlled second argument — monitor for heap spray patterns combined with this ActiveX method call. ↗
- →Post-exploitation: the Metasploit module uses 'migrate -f' as InitialAutoRunScript, so process migration activity immediately after iexplore.exe spawning a new process is a strong indicator of successful exploitation. ↗
- ·The exploit only works when DEP is disabled on the target system; systems with DEP enabled are not reliably exploitable via this technique. ↗
- ·Affected versions are IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and 8.0.0 before 8.0.0.2; the specific DLL version targeted by the Metasploit module is cqole.dll 7.1100.0.150. ↗
- ·The Metasploit module restricts targeting to IE 6/7 User-Agent strings; other browsers are rejected and receive a 404, limiting the attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Rational ClearQuest CQOle - Remote Code Execution (Metasploit)
exploitdb·2012-07-05
CVE-2012-0708 IBM Rational ClearQuest CQOle - Remote Code Execution (Metasploit)
IBM Rational ClearQuest CQOle - Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{94773112-72E8-11D0-A42E-00A024DED613}",
:method => "RegisterSchemaRepoFromFileByDbSet",
:rank => NormalRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "IBM Rational ClearQuest CQOle Remote Code Execution",
'Description' => %q{
This module exploits a function prototype mismatch
Metasploit
IBM Rational ClearQuest CQOle Remote Code Execution
metasploit
IBM Rational ClearQuest CQOle Remote Code Execution
IBM Rational ClearQuest CQOle Remote Code Execution
This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which allows reliable remote code execution when DEP isn't enabled.
No writeups or analysis indexed.
http://osvdb.org/81443http://secunia.com/advisories/48933http://www.ibm.com/support/docview.wss?uid=swg21591705http://www.securityfocus.com/bid/53170http://www.securitytracker.com/id?1026958https://exchange.xforce.ibmcloud.com/vulnerabilities/73492http://osvdb.org/81443http://secunia.com/advisories/48933http://www.ibm.com/support/docview.wss?uid=swg21591705http://www.securityfocus.com/bid/53170http://www.securitytracker.com/id?1026958https://exchange.xforce.ibmcloud.com/vulnerabilities/73492
2012-04-22
Published