GE Proficy Historian KeyHelp ActiveX LaunchTriPane Vulnerability

Added: 10/29/2012
CVE: CVE-2012-2516
BID: 54215
OSVDB: 83311


GE Proficy Historian collects, organizes, archives and distributes tremendous volumes of real-time production information with a goal of enabling better and faster decisions and increased productivity.


GE Proficy Historian 4.5 and earlier are vulnerable to remote code execution as a result of a flaw in the KeyHelp.ocx ActiveX control. The control contains a LaunchTriPane function that allows launching of the HTML Help executable (hh.exe) with customized command line parameters. By using the -decompile switch, an attacker can specify the folder to decompile to and a Universal Naming Convention (UNC) path to a specially crafted Compiled Microsoft Help (.chm) file. The attacker can exploit this vulnerability to execute remote code under the context of the GE Proficy Historian process.


Remove the vulnerable ActieX control as described in GE Intelligent Platforms Security Advisory GEIP12-04.



This exploit was tested against General Electric Proficy Historian on Microsoft Windows XP SP3 English (DEP OptIn).

The user must open the HTML page on the target using Internet Explorer 8.

The executable smbclient must be available on the exploit server.

A valid SMB user with permission to write to the specified SMB share is required. The smb password is not allowed to contain single quotes (').



Back to exploit index