Vulnerabilities > CVE-2012-0008 - Local Privilege Escalation vulnerability in Microsoft Visual Studio 2008/2010
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in Microsoft Visual Studio 2008 SP1, 2010, and 2010 SP1 allows local users to gain privileges via a Trojan horse add-in in an unspecified directory, aka "Visual Studio Add-In Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-021 'An attacker could then place a specially crafted add-in in the path used by Visual Studio. When Visual Studio is started by an administrator, the specially crafted add-in would be loaded with the same privileges as the administrator.' 'The vulnerability could not be exploited remotely or by anonymous users.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Msbulletin
| bulletin_id | MS12-021 |
| bulletin_url | |
| date | 2012-03-13T00:00:00 |
| impact | Elevation of Privilege |
| knowledgebase_id | 2651019 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerability in Visual Studio Could Allow Elevation of Privilege |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS12-021.NASL |
| description | The installed version of Microsoft Visual Studio does not properly validate add-ins in the path before loading them into the application. An attacker can elevate his privileges by placing a specially crafted add-in in the path used by Visual Studio and convincing a user with higher privileges to start Visual Studio. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 58333 |
| published | 2012-03-13 |
| reporter | This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/58333 |
| title | MS12-021: Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) |
Oval
| accepted | 2014-01-06T04:00:07.092-05:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Untrusted search path vulnerability in Microsoft Visual Studio 2008 SP1, 2010, and 2010 SP1 allows local users to gain privileges via a Trojan horse add-in in an unspecified directory, aka "Visual Studio Add-In Vulnerability." | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:15081 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2012-03-13T13:00:00 | ||||||||||||
| title | Visual Studio Add-In Vulnerability | ||||||||||||
| version | 11 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 52329 CVE ID: CVE-2012-0008 Microsoft Visual Studio(简称VS)是美国微软公司的开发工具包系列产品。 Microsoft Visual Studio从不安全路径加载插件时存在漏洞,通过在某些目录中放置恶意插件,并诱使用户开启VS,本地攻击者可利用此漏洞获取提升的权限。 0 Microsoft Visual Studio 2010 Microsoft Visual Studio 2008 SP1 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-021)以及相应补丁: MS12-021:Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) 链接:http://www.microsoft.com/technet/security/bulletin/MS12-021.asp |
| id | SSV:30195 |
| last seen | 2017-11-19 |
| modified | 2012-03-15 |
| published | 2012-03-15 |
| reporter | Root |
| title | Microsoft Visual Studio Add-In本地权限提升漏洞(MS12-021) |
References
- http://secunia.com/advisories/48396
- http://www.securityfocus.com/bid/52329
- http://www.securitytracker.com/id?1026792
- http://www.us-cert.gov/cas/techalerts/TA12-073A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-021
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73537
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15081