CVE-2012-5932
published 2012-12-24CVE-2012-5932: Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.75%
99.1th percentile
Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | privileged_user_manager | — | — |
| microfocus | privileged_user_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74
- →Detect exploitation attempts by inspecting HTTP POST requests to the target service with Content-Type 'application/x-amf' combined with the 'x-flash-version' header, which is the attack delivery mechanism for CVE-2012-5932. ↗
- →Successful exploitation can be confirmed if the HTTP response body contains both 'onResult' and 'Invalid user name or password' along with version string '2.3.1', indicating a vulnerable and exploitable target. ↗
- →Post-exploitation staging drops a .vbs file into %WINDIR%\system32\ and uses Microsoft.XMLHTTP to fetch a follow-on EXE payload; monitor for unexpected .vbs file creation in system32 and outbound HTTP from unifid.exe. ↗
- →The exploit targets the ldapagnt_eval() function via a crafted AMF request; monitor unifid.exe for unexpected child process creation or outbound network connections, as successful exploitation grants SYSTEM privileges. ↗
- ·The Metasploit module defaults to SSL on port 443; detection rules must account for TLS-wrapped AMF traffic and may require SSL inspection to inspect the Content-Type and x-flash-version headers. ↗
- ·The exploit temporarily disables SSL to serve the EXE payload over HTTP on a secondary listener port (SRVPORT), so detection should also cover plain HTTP traffic from the victim host during the staging phase. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Perl Remote Code Execution (Metasploit)
exploitdb·2012-11-22
CVE-2012-5932 NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Perl Remote Code Execution (Metasploit)
NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Perl Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/exploit/file_dropper'
class Metasploit3 'NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution',
'Description' => %q{
This module abuses a lack of authorization in the NetIQ Privileged User Manager
service (unifid.exe) to execute arbitrary perl code. The problem exists in the
ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over
Windows 2003 SP2, which allows to execut
Metasploit
NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution
metasploit
NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution
NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution
This module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=K6-PmbPjduA~http://retrogod.altervista.org/9sg_novell_netiq_ii.htmhttp://retrogod.altervista.org/9sg_novell_netiq_ldapagnt_adv.htmhttps://www.netiq.com/support/kb/doc.php?id=7011385http://download.novell.com/Download?buildid=K6-PmbPjduA~http://retrogod.altervista.org/9sg_novell_netiq_ii.htmhttp://retrogod.altervista.org/9sg_novell_netiq_ldapagnt_adv.htmhttps://www.netiq.com/support/kb/doc.php?id=7011385
2012-12-24
Published