cbcvebase.
CVE-2016-5228
published 2016-07-03

CVE-2016-5228: Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.12%
96.3th percentile
Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument. NOTE: some references mention CVE-2016-5226 but that is not a correct ID for any Rumba vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
microfocusrumba

Detection & IOCsextracted from sources · hover to see the quote

filenameWdMacCtl.ocx
command_vulActiveX.PlayMacro(evil_payload)
bytes
\x28\x22\x30\x20 (EDX overwrite address 0x20302228)
bytes
%u4747%u4747 (heap spray junk pattern)
  • The vulnerable ActiveX control is WdMacCtl.ocx (ObjectXMacro.ObjectXMacro). Monitor for instantiation of this ActiveX control in browser processes, especially when the PlayMacro method is invoked with an abnormally long MacroName argument (>272 bytes triggers the overflow).
  • The PoC uses a heap spray technique with a predictable junk pattern (%u4747%u4747) attached to DOM button.title properties to place controlled data at a predictable memory address (0x20302228). Detect heap spray patterns containing repeated 0x47474747 in browser memory or network-delivered HTML/JS.
  • The exploit overflows the stack with 272+ bytes of junk followed by a crafted EDX value (\x28\x22\x30\x20) to redirect execution. A stack buffer overflow of this size in WdMacCtl.ocx via PlayMacro should be detectable via crash telemetry or exploit-mitigation (DEP/ASLR bypass) alerts on the Rumba process.
  • The exploit hides the heap-spray container using CSS display:none on a div element. Inspect suspicious HTML pages for hidden div containers used in conjunction with ActiveX PlayMacro calls.
  • ·The PoC targets Micro Focus Rumba 9.3 specifically. Affected version range is 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815. The hardcoded heap spray target address (0x20302228) is version/environment-specific and may not be reliable across all installations.
  • ·Some references incorrectly cite CVE-2016-5226 for this Rumba vulnerability; the correct identifier is CVE-2016-5228.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.