cbcvebase.
CVE-2012-6274
published 2013-02-24

CVE-2012-6274: BigAntSoft BigAnt IM Message Server does not require authentication for file uploading, which allows remote attackers to create arbitrary files under…

PriorityP355medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
46.87%
98.7th percentile
BigAntSoft BigAnt IM Message Server does not require authentication for file uploading, which allows remote attackers to create arbitrary files under AntServer\DocData\Public via unspecified vectors.

Detection & IOCsextracted from sources · hover to see the quote

port6661
commandDUPF 16
pathAntServer\DocData\Public
pathWINDOWS\system32\wbem\mof\
pathWINDOWS\system32\
  • Detect unauthenticated DUPF command sent to BigAnt Server on TCP port 6661; the command header includes 'DUPF 16' followed by 'cmdid:', 'content-length:', 'content-type: Appliction/Download', and a 'filename:' field containing directory traversal sequences.
  • Directory traversal in the DUPF 'filename' field uses repeated '\..' sequences (default depth 6) to escape the upload directory and write files to arbitrary paths such as WINDOWS\system32 or WINDOWS\system32\wbem\mof\.
  • Exploit drops a payload .exe into WINDOWS\system32 and a .mof file into WINDOWS\system32\wbem\mof\ to achieve execution via Windows Management Instrumentation (WMI/wbemexec technique); monitor for unexpected .mof files appearing in the wbem\mof directory.
  • A successful upload response contains 'DUPF' and 'fileid: <digits>'; a failed upload due to incorrect traversal depth returns 'ERR 9' with 'lasterror: 183'. Monitor BigAnt server logs for ERR 9 / lasterror 183 responses indicating active exploitation attempts.
  • The exploit targets BigAnt Server 2.97 SP7 specifically; fingerprint the service version on TCP/6661 to identify vulnerable hosts.
  • ·The traversal depth defaults to 6 levels ('\..\' repeated 6 times) but is configurable; defenders should account for varying depth values when writing pattern-match signatures.
  • ·The exploit was tested only on Windows XP SP3 and Windows Server 2003 SP2; the WMI MOF execution technique used for payload execution is specific to these older platforms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.