Vulnerabilities > CVE-2012-0009 - Remote Code Execution vulnerability in Microsoft Windows Server 2003 and Windows XP

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

critical

nessus

NVD

Published: 2012-01-10

Updated: 2019-02-26

Summary

Untrusted search path vulnerability in the Windows Object Packager configuration in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a Trojan horse executable file in the current working directory, as demonstrated by a directory that contains a file with an embedded packaged object, aka "Object Packager Insecure Executable Launching Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-002 'The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2003 * Microsoft Windows XP *	3

Msbulletin

bulletin_id	MS12-002
bulletin_url
date	2012-01-10T00:00:00
impact	Remote Code Execution
knowledgebase_id	2603381
knowledgebase_url
severity	Important
title	Vulnerability in Windows Object Packager Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS12-002.NASL
description	The remote host is affected by a remote code execution vulnerability when handling files with embedded packaged objects. An attacker can exploit this vulnerability by tricking a user into opening a legitimate file with an embedded packaged object file that is located in the same network directory as a specially crafted executable file.
last seen	2020-06-01
modified	2020-06-02
plugin id	57470
published	2012-01-10
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/57470
title	MS12-002: Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57470); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2012-0009"); script_bugtraq_id(51297); script_xref(name:"EDB-ID", value:"18642"); script_xref(name:"MSFT", value:"MS12-002"); script_xref(name:"IAVA", value:"2012-A-0006"); script_xref(name:"MSKB", value:"2603381"); script_name(english:"MS12-002: Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)"); script_summary(english:"Checks the value of a registry key"); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is affected by a remote code execution vulnerability when handling files with embedded packaged objects. An attacker can exploit this vulnerability by tricking a user into opening a legitimate file with an embedded packaged object file that is located in the same network directory as a specially crafted executable file."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-002"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/10"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS12-002'; kb = '2603381'; kbs = make_list(kb); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); # Connect to the appropriate share. port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init"); hcf_init = TRUE; # Connect to the remote registry. rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, "IPC$"); } hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); audit(AUDIT_REG_FAIL); } vuln = FALSE; key = "SOFTWARE\Classes\Package\protocol\StdFileEditing\server"; vuln_value = "packager.exe"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h); if (!isnull(item)) { if (vuln_value == tolower(item[1])) { RegCloseKey(handle:key_h); vuln = TRUE; } } else { RegCloseKey(handle:key_h); RegCloseKey(handle:hklm); NetUseDel(); exit(1, 'Failed to open the registry key '+key+'\n'); } RegCloseKey(handle:key_h); } else { RegCloseKey(handle:hklm); NetUseDel(); exit(1, 'Failed to open the registry handle '+key+'\n'); } RegCloseKey(handle:hklm); NetUseDel(); if (vuln) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_add_report(bulletin:bulletin, kb:kb); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2012-02-20T04:00:05.379-05:00

class

vulnerability

contributors

name	Josh Turpin
organization	Symantec Corporation

definition_extensions

comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442

description

family

windows

oval:org.mitre.oval:def:14393

status

accepted

submitted

2012-01-10T13:00:00

title

Object Packager Insecure Executable Launching Vulnerability

version

Saint

bid	51297
description	Windows Object Packager Insecure Execution
id	win_patch_ms12002
osvdb	78212
title	windows_object_packager_insecure_exec
type	client

Summary

Vulnerable Configurations

Msbulletin

Nessus

Oval

Saint

References