CVE-2012-6274
published 2013-02-24CVE-2012-6274: BigAntSoft BigAnt IM Message Server does not require authentication for file uploading, which allows remote attackers to create arbitrary files under…
PriorityP355medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
46.87%
98.7th percentile
BigAntSoft BigAnt IM Message Server does not require authentication for file uploading, which allows remote attackers to create arbitrary files under AntServer\DocData\Public via unspecified vectors.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated DUPF command sent to BigAnt Server on TCP port 6661; the command header includes 'DUPF 16' followed by 'cmdid:', 'content-length:', 'content-type: Appliction/Download', and a 'filename:' field containing directory traversal sequences. ↗
- →Directory traversal in the DUPF 'filename' field uses repeated '\..' sequences (default depth 6) to escape the upload directory and write files to arbitrary paths such as WINDOWS\system32 or WINDOWS\system32\wbem\mof\. ↗
- →Exploit drops a payload .exe into WINDOWS\system32 and a .mof file into WINDOWS\system32\wbem\mof\ to achieve execution via Windows Management Instrumentation (WMI/wbemexec technique); monitor for unexpected .mof files appearing in the wbem\mof directory. ↗
- →A successful upload response contains 'DUPF' and 'fileid: <digits>'; a failed upload due to incorrect traversal depth returns 'ERR 9' with 'lasterror: 183'. Monitor BigAnt server logs for ERR 9 / lasterror 183 responses indicating active exploitation attempts. ↗
- →The exploit targets BigAnt Server 2.97 SP7 specifically; fingerprint the service version on TCP/6661 to identify vulnerable hosts. ↗
- ·The traversal depth defaults to 6 levels ('\..\' repeated 6 times) but is configurable; defenders should account for varying depth values when writing pattern-match signatures. ↗
- ·The exploit was tested only on Windows XP SP3 and Windows Server 2003 SP2; the WMI MOF execution technique used for payload execution is specific to these older platforms. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BigAnt Server 2.97 - DUPF Command Arbitrary File Upload (Metasploit)
exploitdb·2013-02-20
CVE-2012-6274 BigAnt Server 2.97 - DUPF Command Arbitrary File Upload (Metasploit)
BigAnt Server 2.97 - DUPF Command Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'BigAnt Server DUPF Command Arbitrary File Upload',
'Description' => %q{
This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.
A lack of authentication allows to make unauthenticated file uploads through a DUPF
command. Additionally the filename option in the same command can be used to launch
a directory traversal attack and achieve arbitrary file upload.
The module uses uses the Windows Management Instrumentation serv
Metasploit
BigAnt Server DUPF Command Arbitrary File Upload
metasploit
BigAnt Server DUPF Command Arbitrary File Upload
BigAnt Server DUPF Command Arbitrary File Upload
This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2.
No writeups or analysis indexed.
2013-02-24
Published