cbcvebase.
CVE-2012-2020
published 2012-07-11

CVE-2012-2020: Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1326.

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1326.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
hpoperations_agent<= 11.0
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
hpoperations_agent
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_10_version_1809
msrcwindows_10_version_1903
msrcwindows_10_version_1909
msrcwindows_10_version_2004
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenamecoda.exe
commandopcode 0x8c
other0x100e79eb (ppr from OvSecCore.dll, HP Operations Agent 11.00 / Windows XP SP3)
other0x10073c2c (stackpivot ADD ESP,404 RETN from OvSecCore.dll, HP Operations Agent 11.00 / Windows 2003 SP2)
otherOffset 2084 bytes
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploitation attempts by monitoring for HTTP requests to coda.exe containing opcode 0x8c with oversized payloads (>2084 bytes) on the random TCP port used by the service.
  • Check HTTP response banner for 'server:.*coda 11.' to fingerprint vulnerable HP Operations Agent instances during reconnaissance; minor version < target threshold indicates vulnerable host.
  • Monitor for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) in TCP payloads, which is prepended to shellcode in exploit attempts.
  • The exploit uses chunked HTTP encoding to deliver the overflow buffer; monitor for chunked HTTP POST bodies to coda.exe's port containing SEH record overwrites and large random-text padding (~4000 bytes).
  • coda.exe runs on a random TCP port; use the Metasploit check/ping function pattern (HTTP/1.1 200 OK + coda server banner) to identify exposed instances that have been granted network access beyond localhost.
  • ·coda.exe is only remotely exploitable if network access has been explicitly granted in its configuration; by default it only listens on localhost, significantly limiting remote attack surface.
  • ·coda.exe binds to a random TCP port on each start, making static port-based firewall rules or detection signatures insufficient without dynamic port discovery.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.