cbcvebase.
CVE-2012-3274
published 2012-12-06

CVE-2012-3274: Stack-based buffer overflow in uam.exe in the User Access Manager (UAM) component in HP Intelligent Management Center (IMC) before 5.1 E0101P01 allows remote…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.76%
99.1th percentile
Stack-based buffer overflow in uam.exe in the User Access Manager (UAM) component in HP Intelligent Management Center (IMC) before 5.1 E0101P01 allows remote attackers to execute arbitrary code via vectors related to log data.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpintelligent_management_center<= 5.1
hpintelligent_management_center

Detection & IOCsextracted from sources · hover to see the quote

port1811/UDP
processuam.exe
commandPrependEncoder: \x81\xc4\x54\xf2\xff\xff (add esp, -3500 stack adjustment)
bytes
0xF7103D21 (big-endian) — command id used in malformed UDP packet
  • Alert on UDP traffic to port 1811 containing the 4-byte big-endian command ID 0xF7103D21 at the start of the payload, which is the trigger packet for this exploit.
  • The exploit sends two sequential malformed UDP packets to port 1811: a priming 'echo reply' with 20 bytes of junk, followed immediately by the buffer overflow payload. Detecting two rapid UDP packets to 1811 from the same source is a behavioral indicator.
  • The overflow offset is 4035 bytes; UDP payloads to port 1811 exceeding ~4035 bytes targeting uam.exe should be treated as suspicious.
  • The exploit payload avoids null bytes, carriage returns, and line feeds (\x00\x0d\x0a). Payloads to port 1811/UDP that are large and lack these bytes may indicate exploitation attempts.
  • Monitor for uam.exe spawning unexpected child processes or making outbound network connections, which would indicate successful code execution following exploitation.
  • ·The ROP chain in the exploit is built entirely from msvcrt.dll addresses specific to Windows Server 2003 SP2. The exploit (and these ROP gadget addresses) will not work as-is on other Windows versions or patch levels.
  • ·The vulnerability is fixed in HP IMC version 5.1 E0101P01 and later; systems running versions prior to this patch are vulnerable.
  • ·The exploit payload space is 3925 bytes with an offset of 4035, and the total packet is padded to 4066 bytes to bypass a 4096-byte packet length restriction in the UAM service.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.