CVE-2012-2915
published 2012-05-21CVE-2012-2915: Stack-based buffer overflow in Lattice Semiconductor PAC-Designer 6.2.1344 allows remote attackers to execute arbitrary code via a long string in a Value tag…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.47%
97.9th percentile
Stack-based buffer overflow in Lattice Semiconductor PAC-Designer 6.2.1344 allows remote attackers to execute arbitrary code via a long string in a Value tag in a SymbolicSchematicData definition tag in PAC Design (.pac) file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lattice_semiconductor | pac-designer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\x05\x79\x28\x51\x77
bytes↗
\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37
- →Malicious .PAC files exploit a stack-based buffer overflow via a long string in the <Value> tag inside a <SymbolicSchematicData> definition tag. Hunt for PAC XML files with abnormally long <Value> fields (e.g., >98 bytes of repeated characters). ↗
- →The Metasploit module uses P/P/R gadget at 0x00805020 in PACD621.exe (no ASLR, no SafeSEH, no Rebase). Presence of this return address in a .PAC file's binary content is a strong indicator of exploitation. ↗
- →Bad characters for payload construction are \x00, \x3c (<), \x3e (>), consistent with XML tag delimiters. Payloads embedded in .PAC files will avoid these bytes. ↗
- →The exploit targets PAC-Designer process (PACD621.exe) opening a crafted .pac file. Monitor PACD621.exe for spawning unexpected child processes (e.g., cmd.exe) or outbound network connections. ↗
- ·The SEH gadget address 0x77512879 (SHELL32.dll POP ESI / POP ECX / RET) is specific to Windows XP SP1 and will differ on other OS builds or patch levels. ↗
- ·The Metasploit module uses ExitFunction 'seh', meaning the exploit relies on SEH-based control flow hijacking rather than a direct EIP overwrite. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)
exploitdb·2012-06-17
CVE-2012-2915 Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)
Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
6.21. As a .pac file, when supplying a long string of data to the 'value' field
under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
on the stack, which results in arbitrary code execution under the context of t
Exploit-DB
Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Local Overflow
exploitdb·2012-06-07·CVSS 9.3
CVE-2012-2915 [CRITICAL] Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Local Overflow
Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Local Overflow
---
#!/usr/bin/python -w
#------------------------------------------------------------------------------------#
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) #
# CVE: CVE-2012-2915 #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ #
# OS: WinXP SP1 #
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
#------------------------------------------------------------------------------------#
# I didn't dig to deep but it seems portability to other OS builds is not promising #
# due to SafeSEH and badchars in the application modules. #
#------------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.
Metasploit
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
metasploit
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://osvdb.org/82001http://secunia.com/advisories/48741http://www.securityfocus.com/bid/53566https://exchange.xforce.ibmcloud.com/vulnerabilities/75698http://osvdb.org/82001http://secunia.com/advisories/48741http://www.securityfocus.com/bid/53566https://exchange.xforce.ibmcloud.com/vulnerabilities/75698
2012-05-21
Published