cbcvebase.
CVE-2012-5896
published 2012-11-17

CVE-2012-5896: The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.39%
99.3th percentile
The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which allows remote attackers to execute arbitrary code via a memory address in the first argument, related to an "uninitialized pointer."

Affected

5 ranges
VendorProductVersion rangeFixed in
questintrust<= 10.4.0.853
questintrust
questintrust
questintrust
questintrust

Detection & IOCsextracted from sources · hover to see the quote

filenameAnnotateX.dll
pathC:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
otherCLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
commandobj.Add(0x76767676,1);
bytes
ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4]
  • The vulnerable ActiveX control is identified by CLSID {EF600D71-358F-11D1-8FD4-00AA00BD091C} (ProgID: AnnotationX.AnnList.1). Monitor or block instantiation of this CLSID in Internet Explorer.
  • Exploitation is triggered via the Add() method of the AnnotateX ActiveX control with an attacker-controlled memory address as the first argument (e.g. 0x76767676). Detect JavaScript calling .Add() on this CLSID.
  • The exploit relies on a large heap spray to position ROP chain gadgets; look for unusually large JavaScript heap allocations (repeated %u0c0c%u0c0c NOP sleds) in browser memory preceding ActiveX method calls.
  • The DLL (ANNOTA~1.DLL / AnnotateX.dll) does not opt into ASLR, making it a reliable ROP gadget source. Detect its load in browser processes (iexplore.exe) as a suspicious indicator on Vista/Win7.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation will spawn a new process and migrate into it. Monitor for unexpected process spawning from iexplore.exe.
  • User-Agent strings matching Windows XP (NT 5.1) or Vista/7 (NT 6.0/6.1) combined with MSIE 6.0, 7.0, or 8.0 are used by the exploit module for automatic target selection; correlate these UA patterns with requests to exploit-serving URIs.
  • ·The exploit targets Quest InTrust 10.4.0.853 and earlier. The ActiveX control must be installed and marked safe for scripting (IObjectSafety) for the attack to succeed from a remote web page.
  • ·The DEP bypass ROP chain uses gadgets at fixed offsets within the non-ASLR AnnotateX.dll (e.g. 0x44024a50, 0x44015cc9, 0x44017664, 0x44017bd8, 0x4400bf25, 0x44005C57). These offsets are version-specific to the tested build.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.