cbcvebase.
CVE-2012-0708
published 2012-04-22

CVE-2012-0708: Heap-based buffer overflow in the Ole API in the CQOle ActiveX control in cqole.dll in IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.95%
98.0th percentile
Heap-based buffer overflow in the Ole API in the CQOle ActiveX control in cqole.dll in IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and 8.0.0 before 8.0.0.2 allows remote attackers to execute arbitrary code via a crafted web page that leverages a RegisterSchemaRepoFromFileByDbSet function-prototype mismatch.

Affected

14 ranges
VendorProductVersion rangeFixed in
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest
ibmrational_clearquest

Detection & IOCsextracted from sources · hover to see the quote

other{94773112-72E8-11D0-A42E-00A024DED613}
filenamecqole.dll
commandRegisterSchemaRepoFromFileByDbSet
  • Detect exploitation attempts by monitoring for instantiation of the CQOle ActiveX control (CLSID {94773112-72E8-11D0-A42E-00A024DED613}) in a browser context, particularly when followed by a call to RegisterSchemaRepoFromFileByDbSet.
  • The exploit requires DEP to be disabled on the target; detections or mitigations enforcing DEP will prevent reliable code execution via the stack-pivot ret gadget in MFC80U!_AfxDispatchCall.
  • The function prototype mismatch causes RegisterSchemaRepoFromFile (retn 4) to execute instead of RegisterSchemaRepoFromFileByDbSet (retn 8), leaving ESP pointing to the attacker-controlled second argument — monitor for heap spray patterns combined with this ActiveX method call.
  • Post-exploitation: the Metasploit module uses 'migrate -f' as InitialAutoRunScript, so process migration activity immediately after iexplore.exe spawning a new process is a strong indicator of successful exploitation.
  • ·The exploit only works when DEP is disabled on the target system; systems with DEP enabled are not reliably exploitable via this technique.
  • ·Affected versions are IBM Rational ClearQuest 7.1.1 before 7.1.1.9, 7.1.2 before 7.1.2.6, and 8.0.0 before 8.0.0.2; the specific DLL version targeted by the Metasploit module is cqole.dll 7.1100.0.150.
  • ·The Metasploit module restricts targeting to IE 6/7 User-Agent strings; other browsers are rejected and receive a 404, limiting the attack surface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.