cbcvebase.
CVE-2012-2516
published 2012-07-05

CVE-2012-2516: An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.71%
98.4th percentile
An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."

Affected

10 ranges
VendorProductVersion rangeFixed in
geintelligent_platforms_proficy_batch_execution
geintelligent_platforms_proficy_historian
geintelligent_platforms_proficy_historian
geintelligent_platforms_proficy_historian
geintelligent_platforms_proficy_historian
geintelligent_platforms_proficy_hmi_scada_ifix
geintelligent_platforms_proficy_hmi_scada_ifix
geintelligent_platforms_proficy_pulse
geintelligent_platforms_si7_i_o_driver
geintelligent_platforms_si7_i_o_driver

Detection & IOCsextracted from sources · hover to see the quote

other{45E66957-2932-432A-A156-31503DF0A681}
filenameKeyHelp.ocx
pathdata/exploits/CVE-2012-2516/template_payload.chm
pathdata/exploits/CVE-2012-2516/template_mof.chm
processhh.exe
  • Detect instantiation of the KeyHelp ActiveX control by its CLSID {45E66957-2932-432A-A156-31503DF0A681} in browser or registry contexts.
  • Alert on hh.exe being spawned with '-decompile' as a command-line argument, especially pointing to UNC (\\) paths, which indicates exploitation of LaunchTriPane.
  • Detect WebDAV (OPTIONS/PROPFIND) requests originating from Internet Explorer or the WebDAV Mini-Redirector (MiniRedir) user-agent on port 80, followed by .chm file downloads — a pattern consistent with this exploit's delivery mechanism.
  • Look for JavaScript instantiating 'KeyHelp.KeyScript' ActiveX object (new ActiveXObject("KeyHelp.KeyScript")) in web content, which is the exploit's trigger mechanism.
  • Flag User-Agent strings matching 'MiniRedir/5.1' or 'MiniRedir/5.2' combined with requests for .chm files over WebDAV, as the exploit specifically targets these redirector versions.
  • ·The Metasploit exploit module requires SRVPORT=80 and URIPATH=/ — it will not function on non-standard ports or URI paths, limiting its use to port 80.
  • ·The exploit's WMI MOF-based code execution technique only works on Windows versions prior to Vista; it will not succeed on Vista or later.
  • ·The target host must have the WebClient service (WebDAV Mini-Redirector) running; without it the UNC-based payload delivery will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.