CVE-2012-3274
published 2012-12-06CVE-2012-3274: Stack-based buffer overflow in uam.exe in the User Access Manager (UAM) component in HP Intelligent Management Center (IMC) before 5.1 E0101P01 allows remote…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.76%
99.1th percentile
Stack-based buffer overflow in uam.exe in the User Access Manager (UAM) component in HP Intelligent Management Center (IMC) before 5.1 E0101P01 allows remote attackers to execute arbitrary code via vectors related to log data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | intelligent_management_center | <= 5.1 | — |
| hp | intelligent_management_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xF7103D21 (big-endian) — command id used in malformed UDP packet
- →Alert on UDP traffic to port 1811 containing the 4-byte big-endian command ID 0xF7103D21 at the start of the payload, which is the trigger packet for this exploit. ↗
- →The exploit sends two sequential malformed UDP packets to port 1811: a priming 'echo reply' with 20 bytes of junk, followed immediately by the buffer overflow payload. Detecting two rapid UDP packets to 1811 from the same source is a behavioral indicator. ↗
- →The overflow offset is 4035 bytes; UDP payloads to port 1811 exceeding ~4035 bytes targeting uam.exe should be treated as suspicious. ↗
- →The exploit payload avoids null bytes, carriage returns, and line feeds (\x00\x0d\x0a). Payloads to port 1811/UDP that are large and lack these bytes may indicate exploitation attempts. ↗
- →Monitor for uam.exe spawning unexpected child processes or making outbound network connections, which would indicate successful code execution following exploitation. ↗
- ·The ROP chain in the exploit is built entirely from msvcrt.dll addresses specific to Windows Server 2003 SP2. The exploit (and these ROP gadget addresses) will not work as-is on other Windows versions or patch levels. ↗
- ·The vulnerability is fixed in HP IMC version 5.1 E0101P01 and later; systems running versions prior to this patch are vulnerable. ↗
- ·The exploit payload space is 3925 bytes with an offset of 4035, and the total packet is padded to 4066 bytes to bypass a 4096-byte packet length restriction in the UAM service. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)
exploitdb·2012-08-29
CVE-2012-3274 HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)
HP Intelligent Management Center 'HP Intelligent Management Center UAM Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in HP Intelligent Management Center
UAM. The vulnerability exists in the uam.exe component, when using sprint in a
insecure way for logging purposes. The vulnerability can be triggered by sending a
malformed packet to the 1811/UDP port. The module has been successfully tested on
HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).
},
'License' => MSF_LICENSE,
'Author' =>
[
'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-3274'],
['OSVDB', '85060'],
['BID', '55271'],
['ZDI', '12-171'],
['URL', 'https:/
Metasploit
HP Intelligent Management Center UAM Buffer Overflow
metasploit
HP Intelligent Management Center UAM Buffer Overflow
HP Intelligent Management Center UAM Buffer Overflow
This module exploits a remote buffer overflow in HP Intelligent Management Center UAM. The vulnerability exists in the uam.exe component, when using sprint in a insecure way for logging purposes. The vulnerability can be triggered by sending a malformed packet to the 1811/UDP port. The module has been successfully tested on HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).
No writeups or analysis indexed.
2012-12-06
Published