CVE-2012-5896
published 2012-11-17CVE-2012-5896: The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.39%
99.3th percentile
The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which allows remote attackers to execute arbitrary code via a memory address in the first argument, related to an "uninitialized pointer."
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | intrust | <= 10.4.0.853 | — |
| quest | intrust | — | — |
| quest | intrust | — | — |
| quest | intrust | — | — |
| quest | intrust | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4]
- →The vulnerable ActiveX control is identified by CLSID {EF600D71-358F-11D1-8FD4-00AA00BD091C} (ProgID: AnnotationX.AnnList.1). Monitor or block instantiation of this CLSID in Internet Explorer. ↗
- →Exploitation is triggered via the Add() method of the AnnotateX ActiveX control with an attacker-controlled memory address as the first argument (e.g. 0x76767676). Detect JavaScript calling .Add() on this CLSID. ↗
- →The exploit relies on a large heap spray to position ROP chain gadgets; look for unusually large JavaScript heap allocations (repeated %u0c0c%u0c0c NOP sleds) in browser memory preceding ActiveX method calls. ↗
- →The DLL (ANNOTA~1.DLL / AnnotateX.dll) does not opt into ASLR, making it a reliable ROP gadget source. Detect its load in browser processes (iexplore.exe) as a suspicious indicator on Vista/Win7. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation will spawn a new process and migrate into it. Monitor for unexpected process spawning from iexplore.exe. ↗
- →User-Agent strings matching Windows XP (NT 5.1) or Vista/7 (NT 6.0/6.1) combined with MSIE 6.0, 7.0, or 8.0 are used by the exploit module for automatic target selection; correlate these UA patterns with requests to exploit-serving URIs. ↗
- ·The exploit targets Quest InTrust 10.4.0.853 and earlier. The ActiveX control must be installed and marked safe for scripting (IObjectSafety) for the attack to succeed from a remote web page. ↗
- ·The DEP bypass ROP chain uses gadgets at fixed offsets within the non-ASLR AnnotateX.dll (e.g. 0x44024a50, 0x44015cc9, 0x44017664, 0x44017bd8, 0x4400bf25, 0x44005C57). These offsets are version-specific to the tested build. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Quest InTrust - Annotation Objects Uninitialized Pointer (Metasploit)
exploitdb·2012-04-13
CVE-2012-5896 Quest InTrust - Annotation Objects Uninitialized Pointer (Metasploit)
Quest InTrust - Annotation Objects Uninitialized Pointer (Metasploit)
---
###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Quest InTrust Annotation Objects Uninitialized Pointer',
'Description' => %q{
This module exploits an uninitialized variable vulnerability in the
Annotation Objects ActiveX component. The activeX component loads into memory without
opting into ALSR so this module exploits the vulnerability against windows Vista and
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
points to part of the RO
Exploit-DB
Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution
exploitdb·2012-03-28
CVE-2012-5896 Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution
---
Quest InTrust 10.4.x Annotation Objects ActiveX Control
AnnotateX.dll Uninitialized Pointer Remote Code Execution
homepage: http://www.quest.com/intrust/
description: "InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices."
download url of a test version:
http://www.quest.com/downloads/
file tested: Quest_InTrust---Full-Package_104.zip
Background:
The mentioned product installs an ActiveX control
with the following settings:
binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-0
Metasploit
Quest InTrust Annotation Objects Uninitialized Pointer
metasploit
Quest InTrust Annotation Objects Uninitialized Pointer
Quest InTrust Annotation Objects Uninitialized Pointer
This module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The ActiveX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-03/0153.htmlhttp://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/intrust_annotatex_add.rbhttp://osvdb.org/80662http://packetstormsecurity.org/files/111312/Quest-InTrust-10.4.x-Annotation-Objects-Code-Execution.htmlhttp://packetstormsecurity.org/files/111853/Quest-InTrust-Annotation-Objects-Uninitialized-Pointer.htmlhttp://secunia.com/advisories/48566http://www.exploit-db.com/exploits/18674http://www.securityfocus.com/bid/52765https://exchange.xforce.ibmcloud.com/vulnerabilities/74448http://archives.neohapsis.com/archives/bugtraq/2012-03/0153.htmlhttp://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/intrust_annotatex_add.rbhttp://osvdb.org/80662http://packetstormsecurity.org/files/111312/Quest-InTrust-10.4.x-Annotation-Objects-Code-Execution.htmlhttp://packetstormsecurity.org/files/111853/Quest-InTrust-Annotation-Objects-Uninitialized-Pointer.htmlhttp://secunia.com/advisories/48566http://www.exploit-db.com/exploits/18674http://www.securityfocus.com/bid/52765https://exchange.xforce.ibmcloud.com/vulnerabilities/74448
2012-11-17
Published