Vulnerabilities > CVE-2012-0003 - Unspecified vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus
exploit available
metasploit
NVD
Published: 2012-01-10
Updated: 2023-12-07

Summary

Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
13

Exploit-Db

descriptionMS12-004 midiOutPlayNextPolyEvent Heap Overflow. CVE-2012-0003. Remote exploit for windows platform
idEDB-ID:18426
last seen2016-02-02
modified2012-01-28
published2012-01-28
reportermetasploit
sourcehttps://www.exploit-db.com/download/18426/
titleWindows - midiOutPlayNextPolyEvent Heap Overflow MS12-004

Metasploit

descriptionThis module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvcrt ROP is used by default. However, if you know your target's patch level, you may also try the 'MSHTML' advanced option for an info leak based attack. Currently, this module only supports two MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3. Or 8.0.6001.19120, which is patch level before the MS12-004 fix. Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS12_004_MIDI
last seen2020-05-24
modified2017-10-05
published2012-02-01
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0003
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms12_004_midi.rb
titleMS12-004 midiOutPlayNextPolyEvent Heap Overflow

Msbulletin

bulletin_idMS12-004
bulletin_url
date2012-01-10T00:00:00
impactRemote Code Execution
knowledgebase_id2636391
knowledgebase_url
severityCritical
titleVulnerabilities in Windows Media Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-004.NASL
descriptionThe version of Windows Media installed on the remote host is affected by one or both of the following vulnerabilities : - The Winmm.dll library as used by Windows Media Player does not properly handle specially crafted MIDI files. (CVE-2012-0003) - A DirectShow component of DirectX does not properly handle specially crafted media files. (CVE-2012-0004) An attacker who tricked a user on the affected host into opening a specially crafted MIDI or media file could leverage these issues to execute arbitrary code in the context of the current user.
last seen2020-06-01
modified2020-06-02
plugin id57472
published2012-01-10
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/57472
titleMS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(57472);
  script_version("1.22");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2012-0003", "CVE-2012-0004");
  script_bugtraq_id(51292, 51295);
  script_xref(name:"EDB-ID", value:"18426");
  script_xref(name:"MSFT", value:"MS12-004");
  script_xref(name:"IAVA", value:"2012-A-0005");
  script_xref(name:"MSKB", value:"2598479");
  script_xref(name:"MSKB", value:"2628259");
  script_xref(name:"MSKB", value:"2628642");
  script_xref(name:"MSKB", value:"2631813");

  script_name(english:"MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)");
  script_summary(english:"Checks version of Winmm.dll / Quartz.dll / Mstvcapn.dll");

  script_set_attribute(
    attribute:"synopsis",
    value:
"Opening a specially crafted media file could result in arbitrary code
execution."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Windows Media installed on the remote host is affected
by one or both of the following vulnerabilities :

  - The Winmm.dll library as used by Windows Media Player
    does not properly handle specially crafted MIDI files.
    (CVE-2012-0003)

  - A DirectShow component of DirectX does not properly
    handle specially crafted media files. (CVE-2012-0004)

An attacker who tricked a user on the affected host into opening a
specially crafted MIDI or media file could leverage these issues to
execute arbitrary code in the context of the current user."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-004");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2 as well as Windows XP Media Center Edition 2005
and Windows Media Center TV Pack 2008."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS12-004 midiOutPlayNextPolyEvent Heap Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS12-004';
kbs = make_list("2598479", "2628259", "2628642", "2631813");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);


# Test each component.
vuln = FALSE;

# - Windows Multimedia Library (Winmm.dll)
kb = "2598479";                                            # nb: except for XP MCE 2005
if (
  # Windows Vista / 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Winmm.dll", version:"6.0.6002.22726", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Winmm.dll", version:"6.0.6002.18528", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 / XP 64-bit
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Winmm.dll",   version:"5.2.3790.4916",                              dir:"\system32", bulletin:bulletin, kb:kb) ||

  # # - Windows XP Media Center Edition 2005
  # hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mstvcapn.dll", version:"5.1.2715.5512", min_version:"5.1.0.0",       dir:"\system32", bulletin:bulletin, kb:"2628259") ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Winmm.dll",   version:"5.1.2600.6160",                              dir:"\system32", bulletin:bulletin, kb:kb)
) vuln = TRUE;

# - DirectShow (Quartz.dll)
kb = "2631813";
if (
  # Windows 7 / 2008 R2
  (
    hotfix_check_server_core() == 0 &&
    (
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Quartz.dll", version:"6.6.7601.21847", min_version:"6.6.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Quartz.dll", version:"6.6.7601.17713", min_version:"6.6.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:0, file:"Quartz.dll", version:"6.6.7600.21077", min_version:"6.6.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:0, file:"Quartz.dll", version:"6.6.7600.16905", min_version:"6.6.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb)
    )
  ) ||

  # Windows Vista / 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Quartz.dll", version:"6.6.6002.22732", min_version:"6.6.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Quartz.dll", version:"6.6.6002.18533", min_version:"6.6.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 / XP 64-bit
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Quartz.dll",   version:"6.5.3790.4928",                              dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Quartz.dll",   version:"6.5.2600.6169",                              dir:"\system32", bulletin:bulletin, kb:kb)
) vuln = TRUE;

# - Windows Vista Media Center TV Pack 2008 (Mstvcapn.dll)
kb = "2628642";
if (
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mstvcapn.dll", version:"6.1.1000.18311", dir:"\system32", bulletin:bulletin, kb:kb)
) vuln = TRUE;


# Issue a report if we're affected.
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2012-05-21T04:00:08.027-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameStelios Melachrinoudis
    organizationThe MITRE Corporation
definition_extensions
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionUnspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
familywindows
idoval:org.mitre.oval:def:14337
statusaccepted
submitted2012-01-10T13:00:00
titleMIDI Remote Code Execution Vulnerability
version75

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/109176/ms12_004_midi.rb.txt
idPACKETSTORM:109176
last seen2016-12-05
published2012-01-28
reportersinn3r
sourcehttps://packetstormsecurity.com/files/109176/MS12-004-midiOutPlayNextPolyEvent-Heap-Overflow.html
titleMS12-004 midiOutPlayNextPolyEvent Heap Overflow

Saint

bid51292
descriptionWindows Media MIDI Invalid Channel
idwin_patch_ms12004multimedialib
osvdb78210
titlewindows_media_midi_invalid_channel
typeclient

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:30051
    last seen2017-11-19
    modified2012-01-29
    published2012-01-29
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-30051
    titlemidiOutPlayNextPolyEvent Heap Overflow(MS12-004)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:72533
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-72533
    titleMS12-004 midiOutPlayNextPolyEvent Heap Overflow
  • bulletinFamilyexploit
    descriptionCVE-2012-0003 Microsoft Windows是微软发布的非常流行的操作系统。Windows Media Player是系统的多媒体播放组件。 WMP在处理畸形结构的MIDI数据时存在内存破坏漏洞。远程攻击者可利用该漏洞通过诱使用户访问恶意网页控制用户系统。 0 Microsoft Windows XP Professional Microsoft Windows XP Home Edition Microsoft Windows Vista Microsoft Windows Storage Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 7 临时解决方法: * 禁用MIDI解析 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-004)以及相应补丁: MS12-004:Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) 链接:http://www.microsoft.com/technet/security/bulletin/MS12-004.asp
    idSSV:30052
    last seen2017-11-19
    modified2012-01-30
    published2012-01-30
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-30052
    titleMicrosoft Windows Media Player ‘winmm.dll’ MIDI文件解析远程代码执行漏洞(CVE-2012-0003)

References