CVE-2012-2019
published 2012-07-11CVE-2012-2019: Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | operations_agent | <= 11.0 | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherRET 0x10073c2c (stackpivot ADD ESP,404 RETN from OvSecCore.dll) - HP Operations Agent 11.00 / Windows 2003 SP2↗
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploitation attempts by monitoring for HTTP/1.1 chunked-encoded requests to coda.exe's random TCP port containing a payload offset of 2084 bytes followed by an SEH record overwrite. ↗
- →Fingerprint vulnerable coda.exe service via HTTP response banner matching 'server:.*coda 11.(\d+)' with minor version < fixed threshold; use this for pre-exploitation reconnaissance detection. ↗
- →Monitor for the stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff — 'add esp, -3500') in TCP payloads destined to coda.exe's listening port as a shellcode delivery indicator. ↗
- →Alert on network connections to coda.exe from non-localhost sources; by default the service only accepts localhost connections, so any remote inbound connection to its port is anomalous. ↗
- ·coda.exe listens on a random TCP port, making static port-based firewall rules or detection signatures insufficient; a check/probe function must be used to identify the active port before exploitation. ↗
- ·Remote exploitation requires explicit configuration change to allow non-localhost access; default installations are only locally exploitable. ↗
- ·The Windows 2003 SP2 target requires a DEP bypass via ROP chain using OvSecCore.dll gadgets; detection logic should account for ROP sled patterns in addition to direct shellcode. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-957p-2mjm-5jhf: Unspecified vulnerability in HP Operations Agent before 11
ghsa_unreviewed·2022-05-13
CVE-2012-2019 [HIGH] GHSA-957p-2mjm-5jhf: Unspecified vulnerability in HP Operations Agent before 11
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1325.
Red Hat
struts2: multiple XSS flaws
vendor_redhat·2012-02-01·CVSS 4.3
CVE-2012-1006 [MEDIUM] CWE-79 struts2: multiple XSS flaws
struts2: multiple XSS flaws
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of t
Red Hat
struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
vendor_redhat·2011-12-25·CVSS 6.4
CVE-2012-0393 [MEDIUM] struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code pa
Red Hat
struts2: remote execution of arbitrary commands when developer mode is used
vendor_redhat·2011-12-25·CVSS 6.8
CVE-2012-0394 [MEDIUM] struts2: remote execution of arbitrary commands when developer mode is used
struts2: remote execution of arbitrary commands when developer mode is used
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an imp
Red Hat
Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
vendor_redhat·2011-08-05·CVSS 10.0
CVE-2012-0838 [CRITICAL] Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
exploitdb·2019-10-29·CVSS 3.3
CVE-2015-0009 [LOW] Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
---
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0009
# Type: Remote
# Platform: Windows
# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes
# the target system to revert various security settings to their default settings. This includes SMB server
# and network client settings, which by default do not
Exploit-DB
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
exploitdb·2019-03-13·CVSS 8.8
CVE-2019-0541 [HIGH] Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
---
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability
# Google Dork: N/A
# Date: March, 13 2019
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# CVE : CVE-2019-0541
The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrar
Exploit-DB
HP Operations Agent - Opcode 'coda.exe' 0x34 Buffer Overflow (Metasploit)
exploitdb·2012-10-29
CVE-2012-2019 HP Operations Agent - Opcode 'coda.exe' 0x34 Buffer Overflow (Metasploit)
HP Operations Agent - Opcode 'coda.exe' 0x34 Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in HP Operations Agent for
Windows. The vulnerability exists in the HP Software Performance Core Program
component (coda.exe) when parsing requests for the 0x34 opcode. This module has
been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
Windows 2003 SP2 (DEP bypass).
The coda.exe com
Metasploit
HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
metasploit
HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x34 opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided.
Unit42
Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
blogs_unit42·2020-07-21·CVSS 10.0
CVE-2020-1350 [CRITICAL] Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
## Executive Summary
In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability, for a new remote code execution (RCE) vulnerability.
This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading to remote code execution.
This vulnerability only affects Windows DNS and the following builds of the Microsoft Windows operating system (OS):
- Windows Server 2008/2008 R2
- Windows Server 2012/2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1803/1903/1909/2004 (Server Core installation)
#
Trendmicro
Backdoor-Variante infiziert Word-Dokumente und PDFs
blogs_trendmicro·2019-08-26·CVSS 7.3
[HIGH] Backdoor-Variante infiziert Word-Dokumente und PDFs
Malware
## Backdoor-Variante infiziert Word-Dokumente und PDFs
Sicherheitsforscher stießen auf Asruex in einer PDF-Datei und stellten fest, dass eine Variante der Malware auch als Infector fungieren kann, insbesondere durch die Ausnutzung alter Schwachstellen.
By: Trend Micro Aug 26, 2019 Read time: ( words)
Save to Folio
Originalbeitrag von Ian Mercado and Mhica Romero
Asruex wurde 2015 zum ersten Mal gesichtet und ist bekannt für seine Backdoor-Funktionen und die Verbindung zur Spyware DarkHotel. Nun stießen die Sicherheitsforscher auf Asruex in einer PDF-Datei und stellten fest, dass eine Variante der Malware auch als Infector fungieren kann, insbesondere durch die Ausnutzung alter Schwachstellen wie CVE-2012-0158 und CVE-2010-2883, die Code in Word- bzw. PDF-Dateien injizieren.
Trendmicro
Asruex Backdoor Infects Files Via Old Vulnerabilities
blogs_trendmicro·2019-08-22·CVSS 7.3
[HIGH] Asruex Backdoor Infects Files Via Old Vulnerabilities
Ciberamenazas
## Asruex Backdoor Infects Files Via Old Vulnerabilities
Asruex has been known for its backdoor capabilities. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities.
By: Ian Mercado, Mhica Romero Aug 22, 2019 Read time: ( words)
Save to Folio
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883 , which inject code in Word and PDF files respectively. The use of old, patched vulnerabilities
Trendmicro
Asruex Backdoor Infects Files Via Old Vulnerabilities
blogs_trendmicro·2019-08-22·CVSS 7.3
[HIGH] Asruex Backdoor Infects Files Via Old Vulnerabilities
Cyber Threats
# Asruex Backdoor Infects Files Via Old Vulnerabilities
Asruex has been known for its backdoor capabilities. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities.
By: Ian Mercado, Mhica Romero
Aug 22, 2019
Read time: ( words)
Save to Folio
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively. The use of old, patched vulnerabilities c
Trendmicro
Asruex Backdoor Infects Files Via Old Vulnerabilities
blogs_trendmicro·2019-08-22·CVSS 7.3
[HIGH] Asruex Backdoor Infects Files Via Old Vulnerabilities
Cyberbedrohungen
## Asruex Backdoor Infects Files Via Old Vulnerabilities
Asruex has been known for its backdoor capabilities. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities.
By: Ian Mercado, Mhica Romero Aug 22, 2019 Read time: ( words)
Save to Folio
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883 , which inject code in Word and PDF files respectively. The use of old, patched vulnerabiliti
Bugzilla
CVE-2012-1006 struts2: multiple XSS flaws
bugzilla·2012-02-07·CVSS 4.3
CVE-2012-1006 [MEDIUM] CVE-2012-1006 struts2: multiple XSS flaws
CVE-2012-1006 struts2: multiple XSS flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1006 to
the following vulnerability:
Name: CVE-2012-1006
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1006
Assigned: 20120206
Reference: http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
Reference: http://secpod.org/blog/?p=450
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts
2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script
or HTML via the (1) name or (2) lastName parameter to
struts2-showcase/person/editPerson.action, or the (3) clientName
parameter to struts2-rest-showcase/orders.
Discussion:
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said t
2012-07-11
Published