cbcvebase.
CVE-2012-5946
published 2013-04-30

CVE-2012-5946: Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.78%
98.2th percentile
Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string.

Affected

1 ranges
VendorProductVersion rangeFixed in
ibmspss_samplepower

Detection & IOCsextracted from sources · hover to see the quote

other{24E04EBF-014D-471F-930E-7654B1193BA9}
filenamec1sizer.ocx
versionc1sizer.ocx 8.0.20071.39
commandTabCaption
  • Detect instantiation of the vulnerable C1Tab ActiveX control by its CLSID {24E04EBF-014D-471F-930E-7654B1193BA9} in HTML/script content delivered via IE 6–8.
  • Alert on heap-spray patterns targeting 0x0c0c0c0c / 0x0c0c0c08 return addresses in browser memory, characteristic of this exploit's NOP sled technique using '\x0c' bytes.
  • Monitor for the TabCaption property being set to an abnormally long string (>0x10000 bytes) on the C1Tab ActiveX object, which triggers the lstrcatA heap overflow.
  • Look for presence of c1sizer.ocx version 8.0.20071.39 on endpoints; this specific version is confirmed vulnerable.
  • The exploit uses 'migrate -f' as InitialAutoRunScript; post-exploitation process migration activity should be correlated with prior IE browser exploitation.
  • ROP gadgets are sourced exclusively from c1sizer.ocx (addresses 0x10026984, 0x100076f1, 0x10029134, 0x1001b41e); presence of these addresses in call stacks or memory indicates exploitation of this module.
  • ·Exploit targets only Internet Explorer 6, 7, and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1; other browsers or OS versions are not affected by this module.
  • ·The heap overflow offset is 0x5F4 bytes for all tested targets; payloads must fit within 991 bytes and must not contain null bytes (\x00).
  • ·The pivot gadget at 0x7c342643 is used only for IE 8 targets (XP SP3 and Windows 7); IE 6 and IE 7 targets use a simpler fake_memory approach without ROP.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.