CVE-2012-4177

UBI Uplay PC < 2.0.3 - OS Command Injection

Title source: rule

Description

The web browser plugin for Ubisoft Uplay PC before 2.0.4 allows remote attackers to execute arbitrary programs via the -orbit_exe_path command line argument.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/20321

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb

View Code ZIP pw:eip

References (5)

[Various Sources] http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix

[Mailing List] http://seclists.org/fulldisclosure/2012/Jul/375

[Various Sources] http://www.bbc.com/news/technology-19053453

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/20321

[Third Party Advisory, VDB Entry] http://osvdb.org/84402

Scores

EPSS 0.8023

EPSS Percentile 99.1%

Classification

CWE

CWE-78

Status draft

Affected Products (4)

ubi/uplay_pc < 2.0.3

ubi/uplay_pc

Timeline

Published Aug 07, 2012

Tracked Since Feb 18, 2026