cbcvebase.
CVE-2012-4924
published 2012-09-15

CVE-2012-4924: Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.34%
98.3th percentile
Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute arbitrary code via a long parameter to the Alert method.

Affected

2 ranges
VendorProductVersion rangeFixed in
asusipswcom_activex_component
asusnet4switch

Detection & IOCsextracted from sources · hover to see the quote

filenameipswcom.dll
pathC:\Program Files\ASUS\Net4Switch\ipswcom.dll
otherCLSID:1B9E86D8-7CAF-46C8-9938-569B21E17A8E
versionipswcom.dll 1.0.0.1 / ASUS Net4Switch 1.0.0020
bytes
push 0FFh; call CxDbgPrint (at .text:100305AE / 100305B3)
  • The vulnerable ActiveX control is identified by CLSID 1B9E86D8-7CAF-46C8-9938-569B21E17A8E; monitor for instantiation of this CLSID in browser processes (e.g., via registry or COM object creation logs).
  • Exploitation targets IE 6 and IE 7 on Windows XP SP3; User-Agent strings matching 'NT 5.1' combined with 'MSIE 6' or 'MSIE 7' are used by the Metasploit module to fingerprint victims.
  • The exploit uses SEH-based exploitation with a post-exploitation 'migrate -f' auto-run script; look for iexplore.exe spawning unexpected child processes shortly after loading the ActiveX control.
  • The overflow is triggered via the 'Alert' method of the ipswcom.dll ActiveX control with a long parameter; monitor for unusually large string arguments passed to this method.
  • The Metasploit module delivers a heap-spray payload via JavaScript with NOP sleds; look for large repetitive memory allocations in browser processes consistent with heap spraying.
  • The format string '[IPSW_alert] = %s' is pushed as a literal in the vulnerable code path; presence of this string in memory dumps or crash reports indicates exploitation of CxDbgPrint.
  • ·The Metasploit module's 'Automatic' target returns nil (no exploit attempt) for any browser/OS combination other than IE 6 or IE 7 on Windows XP SP3, limiting the exploit's scope.
  • ·Null bytes (0x00) are bad characters for the payload; shellcode containing null bytes will be truncated and the exploit will fail.
  • ·An optional JavaScript obfuscation feature is available in the module, meaning delivery traffic may or may not be obfuscated depending on attacker configuration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.