CVE-2012-4598
published 2012-08-22CVE-2012-4598: An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.38%
97.9th percentile
An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial of service (Internet Explorer crash) via a crafted web site.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | epo_mcafee_virtual_technician | <= 1.0.7 | — |
| mcafee | epo_mcafee_virtual_technician | — | — |
| mcafee | epo_mcafee_virtual_technician | — | — |
| mcafee | mcafee_virtual_technician | <= 6.3.0.1911 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by its CLSID {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF} or ProgID MVT.MVTControl.6300 in browser/HTML content. ↗
- →Alert on calls to the GetObject() method on the MVTControl ActiveX object, especially with arguments of 'WScript.Shell' or arbitrary numeric memory addresses (e.g. 0x0c0c0c0c), as these indicate exploitation attempts. ↗
- →Monitor for child processes of Internet Explorer (iexplore.exe) spawning cmd.exe or WScript.Shell-based execution, which is the post-exploitation pattern for this vulnerability. ↗
- →The Metasploit module delivers a payload EXE via HTTP with Content-Type 'application/octet-stream'; detect User-Agent filtering for MSIE and .exe URI patterns in web server logs as indicators of exploit delivery. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript; detect process migration activity (e.g. CreateRemoteThread into a new process) shortly after iexplore.exe payload execution. ↗
- →Check for presence of MVT.dll loaded in iexplore.exe process space as evidence of the vulnerable control being active. ↗
- ·The ActiveX control reports Safe for Scripting = true via IObjectSafety, meaning Internet Explorer will allow remote scripting without additional prompts, broadening the attack surface. ↗
- ·Exploitation is confirmed against Internet Explorer 7, 8, and 9 on Windows Vista SP2 and Windows 2003 R2 SP2; detections should be scoped to these browser/OS combinations. ↗
- ·The vulnerability affects MVT versions before 6.4; version 6.3.0.1911 is the confirmed vulnerable build. Ensure version checks target this specific file version of MVT.dll. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)
exploitdb·2012-05-01
CVE-2012-4598 McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)
McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
'Description' => %q{
This modules exploits a vulnerability found in McAfee Virtual Technician's
MVTControl. This ActiveX control can be abused by using the GetObject() function
to load additional unsafe classes such as WScript.Shell, therefore allowing remote
code execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'r
Exploit-DB
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution
exploitdb·2012-04-30
CVE-2012-4598 McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution
---
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control
GetObject() Security Bypass Remote Code Execution Vulnerability
tested against: Microsoft Windows Vista sp2
Microsoft Windows 2003 r2 sp2
Internet Explorer 7/8/9
product homepage: http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx
file tested: MVTInstaller.exe
background:
the mentioned product installs an ActiveX control with
the following settings:
Binary path: C:\Program Files\McAfee\Supportability\MVT\MVT.dll
ProgID: MVT.MVTControl.6300
CLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety
Metasploit
McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
metasploit
McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability
This module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.
No writeups or analysis indexed.
2012-08-22
Published