CVE-2012-2516

GE Proficy Historian KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."

Un control ActiveX en KeyHelp.ocx en KeyWorks KeyHelp Module (también conocido como el componente HTML Help), tal como se utiliza en GE Intelligent Platforms Proficy Historian v3.1, v3.5, v4.0 y v4.5; Proficy HMI/SCADA iFIX v5.0 y v5.1; Proficy Pulse v1,0; Proficy Batch Execution v5,6, SI7 ??E/S Driverv 7.20 hasta 7.42, y otros productos, permite a atacantes remotos ejecutar comandos arbitrarios a través de la entrada hecha a mano, relacionada con una "vulnerabilidad de inyección de comandos."

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy Historian. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the KeyHelp.ocx ActiveX control. The control contains a LaunchTriPane function that allows launching of the HTML Help executable (hh.exe) with customized command line parameters. By using the -decompile switch, an attacker can specify the folder to decompile to and a UNC path to a specially crafted .chm file. The attacker can utilize this vulnerability to execute remote code under the context of the process.

*Credits: Andrea Micalizzi aka rgod

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-05-07 CVE Reserved
2012-07-05 CVE Published
2012-10-11 First Exploit
2024-09-16 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (3)

URL	Tag	Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-131-02.pdf	Us Government Resource

URL	Date	SRC
https://www.exploit-db.com/exploits/21888	2012-10-11

URL	Date	SRC

URL	Date	SRC
http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14863/en_US/GEIP12-04%20Security%20Advisory%20-%20Proficy%20HTML%20Help.pdf	2012-07-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ge Search vendor "Ge"		Intelligent Platforms Proficy Batch Execution Search vendor "Ge" for product "Intelligent Platforms Proficy Batch Execution"				5.6 Search vendor "Ge" for product "Intelligent Platforms Proficy Batch Execution" and version "5.6"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Historian Search vendor "Ge" for product "Intelligent Platforms Proficy Historian"				3.1 Search vendor "Ge" for product "Intelligent Platforms Proficy Historian" and version "3.1"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Historian Search vendor "Ge" for product "Intelligent Platforms Proficy Historian"				3.5 Search vendor "Ge" for product "Intelligent Platforms Proficy Historian" and version "3.5"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Historian Search vendor "Ge" for product "Intelligent Platforms Proficy Historian"				4.0 Search vendor "Ge" for product "Intelligent Platforms Proficy Historian" and version "4.0"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Historian Search vendor "Ge" for product "Intelligent Platforms Proficy Historian"				4.5 Search vendor "Ge" for product "Intelligent Platforms Proficy Historian" and version "4.5"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Hmi\/scada Ifix Search vendor "Ge" for product "Intelligent Platforms Proficy Hmi\/scada Ifix"				5.0 Search vendor "Ge" for product "Intelligent Platforms Proficy Hmi\/scada Ifix" and version "5.0"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Hmi\/scada Ifix Search vendor "Ge" for product "Intelligent Platforms Proficy Hmi\/scada Ifix"				5.1 Search vendor "Ge" for product "Intelligent Platforms Proficy Hmi\/scada Ifix" and version "5.1"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Proficy Pulse Search vendor "Ge" for product "Intelligent Platforms Proficy Pulse"				1.0 Search vendor "Ge" for product "Intelligent Platforms Proficy Pulse" and version "1.0"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Si7 I\/o Driver Search vendor "Ge" for product "Intelligent Platforms Si7 I\/o Driver"				7.20 Search vendor "Ge" for product "Intelligent Platforms Si7 I\/o Driver" and version "7.20"		-		Affected
Ge Search vendor "Ge"		Intelligent Platforms Si7 I\/o Driver Search vendor "Ge" for product "Intelligent Platforms Si7 I\/o Driver"				7.42 Search vendor "Ge" for product "Intelligent Platforms Si7 I\/o Driver" and version "7.42"		-		Affected