CVE-2012-4924
published 2012-09-15CVE-2012-4924: Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.34%
98.3th percentile
Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute arbitrary code via a long parameter to the Alert method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asus | ipswcom_activex_component | — | — |
| asus | net4switch | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
push 0FFh; call CxDbgPrint (at .text:100305AE / 100305B3)
- →The vulnerable ActiveX control is identified by CLSID 1B9E86D8-7CAF-46C8-9938-569B21E17A8E; monitor for instantiation of this CLSID in browser processes (e.g., via registry or COM object creation logs). ↗
- →Exploitation targets IE 6 and IE 7 on Windows XP SP3; User-Agent strings matching 'NT 5.1' combined with 'MSIE 6' or 'MSIE 7' are used by the Metasploit module to fingerprint victims. ↗
- →The exploit uses SEH-based exploitation with a post-exploitation 'migrate -f' auto-run script; look for iexplore.exe spawning unexpected child processes shortly after loading the ActiveX control. ↗
- →The overflow is triggered via the 'Alert' method of the ipswcom.dll ActiveX control with a long parameter; monitor for unusually large string arguments passed to this method. ↗
- →The Metasploit module delivers a heap-spray payload via JavaScript with NOP sleds; look for large repetitive memory allocations in browser processes consistent with heap spraying. ↗
- →The format string '[IPSW_alert] = %s' is pushed as a literal in the vulnerable code path; presence of this string in memory dumps or crash reports indicates exploitation of CxDbgPrint. ↗
- ·The Metasploit module's 'Automatic' target returns nil (no exploit attempt) for any browser/OS combination other than IE 6 or IE 7 on Windows XP SP3, limiting the exploit's scope. ↗
- ·Null bytes (0x00) are bad characters for the payload; shellcode containing null bytes will be truncated and the exploit will fail. ↗
- ·An optional JavaScript obfuscation feature is available in the module, meaning delivery traffic may or may not be obfuscated depending on attacker configuration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ASUS Net4Switch - 'ipswcom.dll' ActiveX Stack Buffer Overflow (Metasploit)
exploitdb·2012-02-29
CVE-2012-4924 ASUS Net4Switch - 'ipswcom.dll' ActiveX Stack Buffer Overflow (Metasploit)
ASUS Net4Switch - 'ipswcom.dll' ActiveX Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll
ActiveX control. A buffer overflow condition is possible in multiple places all
because of the poor use of the CxDbgPrint() function, which allows remote attackers
to gain arbitrary code execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author'
Metasploit
ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
metasploit
ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow
This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll ActiveX control. A buffer overflow condition is possible in multiple places due to the use of the CxDbgPrint() function, which allows remote attackers to gain arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://dsecrg.com/pages/vul/show.php?id=417http://osvdb.org/79438http://secunia.com/advisories/48125http://www.exploit-db.com/exploits/18538http://www.securityfocus.com/bid/52110https://exchange.xforce.ibmcloud.com/vulnerabilities/73384http://dsecrg.com/pages/vul/show.php?id=417http://osvdb.org/79438http://secunia.com/advisories/48125http://www.exploit-db.com/exploits/18538http://www.securityfocus.com/bid/52110https://exchange.xforce.ibmcloud.com/vulnerabilities/73384
2012-09-15
Published