CVE-2012-5946
published 2013-04-30CVE-2012-5946: Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.78%
98.2th percentile
Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | spss_samplepower | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable C1Tab ActiveX control by its CLSID {24E04EBF-014D-471F-930E-7654B1193BA9} in HTML/script content delivered via IE 6–8. ↗
- →Alert on heap-spray patterns targeting 0x0c0c0c0c / 0x0c0c0c08 return addresses in browser memory, characteristic of this exploit's NOP sled technique using '\x0c' bytes. ↗
- →Monitor for the TabCaption property being set to an abnormally long string (>0x10000 bytes) on the C1Tab ActiveX object, which triggers the lstrcatA heap overflow. ↗
- →Look for presence of c1sizer.ocx version 8.0.20071.39 on endpoints; this specific version is confirmed vulnerable. ↗
- →The exploit uses 'migrate -f' as InitialAutoRunScript; post-exploitation process migration activity should be correlated with prior IE browser exploitation. ↗
- →ROP gadgets are sourced exclusively from c1sizer.ocx (addresses 0x10026984, 0x100076f1, 0x10029134, 0x1001b41e); presence of these addresses in call stacks or memory indicates exploitation of this module. ↗
- ·Exploit targets only Internet Explorer 6, 7, and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1; other browsers or OS versions are not affected by this module. ↗
- ·The heap overflow offset is 0x5F4 bytes for all tested targets; payloads must fit within 991 bytes and must not contain null bytes (\x00). ↗
- ·The pivot gadget at 0x7c342643 is used only for IE 8 targets (XP SP3 and Windows 7); IE 6 and IE 7 targets use a simpler fake_memory approach without ROP. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM SPSS SamplePower C1Tab - ActiveX Heap Overflow (Metasploit)
exploitdb·2013-05-29
CVE-2012-5946 IBM SPSS SamplePower C1Tab - ActiveX Heap Overflow (Metasploit)
IBM SPSS SamplePower C1Tab - ActiveX Heap Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking,
:classid => "{24E04EBF-014D-471F-930E-7654B1193BA9}",
:method => "TabCaption"
})
def initialize(info={})
super(update_info(info,
'Name' => "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow",
'Description' => %q{
This module exploits a heap based buffer overflow in the C1Tab ActiveX control
Metasploit
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
metasploit
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
This module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1.
No writeups or analysis indexed.
2013-04-30
Published