cbcvebase.
CVE-2012-2019
published 2012-07-11

CVE-2012-2019: Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.

Affected

13 ranges
VendorProductVersion rangeFixed in
hpoperations_agent<= 11.0
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent

Detection & IOCsextracted from sources · hover to see the quote

processcoda.exe
commandopcode 0x34 buffer overflow request to coda.exe
otherRET 0x100e79eb (ppr from OvSecCore.dll) - HP Operations Agent 11.00 / Windows XP SP3
otherRET 0x10073c2c (stackpivot ADD ESP,404 RETN from OvSecCore.dll) - HP Operations Agent 11.00 / Windows 2003 SP2
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploitation attempts by monitoring for HTTP/1.1 chunked-encoded requests to coda.exe's random TCP port containing a payload offset of 2084 bytes followed by an SEH record overwrite.
  • Fingerprint vulnerable coda.exe service via HTTP response banner matching 'server:.*coda 11.(\d+)' with minor version < fixed threshold; use this for pre-exploitation reconnaissance detection.
  • Monitor for the stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff — 'add esp, -3500') in TCP payloads destined to coda.exe's listening port as a shellcode delivery indicator.
  • Alert on network connections to coda.exe from non-localhost sources; by default the service only accepts localhost connections, so any remote inbound connection to its port is anomalous.
  • ·coda.exe listens on a random TCP port, making static port-based firewall rules or detection signatures insufficient; a check/probe function must be used to identify the active port before exploitation.
  • ·Remote exploitation requires explicit configuration change to allow non-localhost access; default installations are only locally exploitable.
  • ·The Windows 2003 SP2 target requires a DEP bypass via ROP chain using OvSecCore.dll gadgets; detection logic should account for ROP sled patterns in addition to direct shellcode.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.