cbcvebase.
CVE-2012-2915
published 2012-05-21

CVE-2012-2915: Stack-based buffer overflow in Lattice Semiconductor PAC-Designer 6.2.1344 allows remote attackers to execute arbitrary code via a long string in a Value tag…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.47%
97.9th percentile
Stack-based buffer overflow in Lattice Semiconductor PAC-Designer 6.2.1344 allows remote attackers to execute arbitrary code via a long string in a Value tag in a SymbolicSchematicData definition tag in PAC Design (.pac) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
lattice_semiconductorpac-designer

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pac
registry0x00805020
bytes
\xEB\x05\x79\x28\x51\x77
bytes
\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37
  • Malicious .PAC files exploit a stack-based buffer overflow via a long string in the <Value> tag inside a <SymbolicSchematicData> definition tag. Hunt for PAC XML files with abnormally long <Value> fields (e.g., >98 bytes of repeated characters).
  • The Metasploit module uses P/P/R gadget at 0x00805020 in PACD621.exe (no ASLR, no SafeSEH, no Rebase). Presence of this return address in a .PAC file's binary content is a strong indicator of exploitation.
  • Bad characters for payload construction are \x00, \x3c (<), \x3e (>), consistent with XML tag delimiters. Payloads embedded in .PAC files will avoid these bytes.
  • The exploit targets PAC-Designer process (PACD621.exe) opening a crafted .pac file. Monitor PACD621.exe for spawning unexpected child processes (e.g., cmd.exe) or outbound network connections.
  • ·The SEH gadget address 0x77512879 (SHELL32.dll POP ESI / POP ECX / RET) is specific to Windows XP SP1 and will differ on other OS builds or patch levels.
  • ·The Metasploit module uses ExitFunction 'seh', meaning the exploit relies on SEH-based control flow hijacking rather than a direct EIP overwrite.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.