CVE-2012-2516
published 2012-07-05CVE-2012-2516: An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.71%
98.4th percentile
An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | intelligent_platforms_proficy_batch_execution | — | — |
| ge | intelligent_platforms_proficy_historian | — | — |
| ge | intelligent_platforms_proficy_historian | — | — |
| ge | intelligent_platforms_proficy_historian | — | — |
| ge | intelligent_platforms_proficy_historian | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_ifix | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_ifix | — | — |
| ge | intelligent_platforms_proficy_pulse | — | — |
| ge | intelligent_platforms_si7_i_o_driver | — | — |
| ge | intelligent_platforms_si7_i_o_driver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the KeyHelp ActiveX control by its CLSID {45E66957-2932-432A-A156-31503DF0A681} in browser or registry contexts. ↗
- →Alert on hh.exe being spawned with '-decompile' as a command-line argument, especially pointing to UNC (\\) paths, which indicates exploitation of LaunchTriPane. ↗
- →Detect WebDAV (OPTIONS/PROPFIND) requests originating from Internet Explorer or the WebDAV Mini-Redirector (MiniRedir) user-agent on port 80, followed by .chm file downloads — a pattern consistent with this exploit's delivery mechanism. ↗
- →Look for JavaScript instantiating 'KeyHelp.KeyScript' ActiveX object (new ActiveXObject("KeyHelp.KeyScript")) in web content, which is the exploit's trigger mechanism. ↗
- →Flag User-Agent strings matching 'MiniRedir/5.1' or 'MiniRedir/5.2' combined with requests for .chm files over WebDAV, as the exploit specifically targets these redirector versions. ↗
- ·The Metasploit exploit module requires SRVPORT=80 and URIPATH=/ — it will not function on non-standard ports or URI paths, limiting its use to port 80. ↗
- ·The exploit's WMI MOF-based code execution technique only works on Windows versions prior to Vista; it will not succeed on Vista or later. ↗
- ·The target host must have the WebClient service (WebDAV Mini-Redirector) running; without it the UNC-based payload delivery will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
GE Intelligent Platforms Proficy HTML Help Vulnerabilities (Update A)
cisa_ics·2012-06-27·CVSS 9.3
[CRITICAL] GE Intelligent Platforms Proficy HTML Help Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GE Intelligent Platforms Proficy HTML Help Vulnerabilities (Update A)
Last RevisedAugust 21, 2018
Alert CodeICSA-12-131-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 8.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: GE
- Equipment: Intelligent Platforms
- Vulnerabilities: Stack-based Buffer Overflow, Command Injection
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-12-131-02 GE Intelligent Platforms Proficy HTML Help Vulnerabilities that was published June 27, 2012, on the NCCIC/ICS-CERT website.
## 3. RIS
GHSA
GHSA-x4j8-mmc7-549m: An ActiveX control in KeyHelp
ghsa_unreviewed·2022-05-17
CVE-2012-2516 [HIGH] CWE-78 GHSA-x4j8-mmc7-549m: An ActiveX control in KeyHelp
An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."
No detection rules found.
Exploit-DB
KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)
exploitdb·2012-10-11
CVE-2012-2516 KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)
KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:javascript => true,
:rank => NormalRanking,
:classid => "{45E66957-2932-432A-A156-31503DF0A681}",
:method => "LaunchTriPane",
})
def initialize(info = {})
super(update_info(info,
'Name' => 'KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability',
'Description' => %q{
This module exploits a code execution vulnerability in the KeyScript ActiveX
control from keyhelp.ocx. It is packag
Metasploit
KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
metasploit
KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
This module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management
No writeups or analysis indexed.
http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14863/en_US/GEIP12-04%20Security%20Advisory%20-%20Proficy%20HTML%20Help.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-12-131-02.pdfhttp://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14863/en_US/GEIP12-04%20Security%20Advisory%20-%20Proficy%20HTML%20Help.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-12-131-02.pdf
2012-07-05
Published