Vulnerabilities > CVE-2012-0158 - Code Injection vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-94
critical
nessus
exploit available
metasploit

Summary

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionMS12-027 MSCOMCTL ActiveX Buffer Overflow. CVE-2012-0158. Remote exploit for windows platform
idEDB-ID:18780
last seen2016-02-02
modified2012-04-25
published2012-04-25
reportermetasploit
sourcehttps://www.exploit-db.com/download/18780/
titleWIndows - MSCOMCTL ActiveX Buffer Overflow MS12-027

Metasploit

descriptionThis module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation.
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/MS12_027_MSCOMCTL_BOF
last seen2020-06-10
modified2017-07-24
published2012-04-23
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb
titleMS12-027 MSCOMCTL ActiveX Buffer Overflow

Msbulletin

bulletin_idMS12-027
bulletin_url
date2012-04-12T00:00:00
impactRemote Code Execution
knowledgebase_id2664258
knowledgebase_url
severityCritical
titleVulnerability in Windows Common Controls Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-027.NASL
descriptionA memory corruption issue exists in Windows common controls, specifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2, MSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of MSCOMCTL.OCX, due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue by convincing a user to view a specially crafted web page, resulting in the execution of arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id58659
published2012-04-11
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/58659
titleMS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58659);
  script_version("1.35");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2012-0158");
  script_bugtraq_id(52911);
  script_xref(name:"EDB-ID", value:"18780");
  script_xref(name:"MSFT", value:"MS12-027");
  script_xref(name:"MSKB", value:"983807");
  script_xref(name:"MSKB", value:"983808");
  script_xref(name:"MSKB", value:"983809");
  script_xref(name:"MSKB", value:"2597112");
  script_xref(name:"MSKB", value:"2598039");
  script_xref(name:"MSKB", value:"2598041");
  script_xref(name:"MSKB", value:"2641426");
  script_xref(name:"MSKB", value:"2645025");
  script_xref(name:"MSKB", value:"2647488");
  script_xref(name:"MSKB", value:"2647490");
  script_xref(name:"MSKB", value:"2655547");
  script_xref(name:"MSKB", value:"2658674");
  script_xref(name:"MSKB", value:"2658676");
  script_xref(name:"MSKB", value:"2658677");

  script_name(english:"MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)");
  script_summary(english:"Checks for kill bit.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"A memory corruption issue exists in Windows common controls,
specifically within the MSCOMCTL.TreeView, MSCOMCTL.ListView2,
MSCOMCTL.TreeView2, and MSCOMCTL.ListView controls component of
MSCOMCTL.OCX, due to improper sanitization of user-supplied input. An
unauthenticated, remote attacker can exploit this issue by convincing
a user to view a specially crafted web page, resulting in the
execution of arbitrary code.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-027");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office 2003, 2007 and
2010; Office 2003 Web Components; SQL Server 2000, 2005, 2005 Express
Edition, 2008, and 2008 R2; BizTalk Server 2002; Commerce Server 2002,
2007, 2009, and 2009 R2; Microsoft Visual FoxPro 8.0 and 9.0; and
Visual Basic 6.0 Runtime.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS12-027 MSCOMCTL ActiveX Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_components");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_basic");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_foxpro");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:biztalk_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:commerce_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies(
    "smb_hotfixes.nasl",
    "ms_bulletin_checks_possible.nasl",
    "mssql_version.nasl",
    "commerce_server_installed.nasl",
    "biztalk_server_installed.nasl",
    "foxpro_installed.nasl",
    "office_installed.nasl"
  );
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('audit.inc');
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_activex_func.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
include('misc_func.inc');
include('install_func.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS12-027';
kbs = make_list(
  '983807',
  '983808',
  '983809',
  '2597112',
  '2598039',
  '2598041',
  '2641426',
  '2645025',
  '2647488',
  '2647490',
  '2655547',
  '2658674',
  '2658676',
  '2658677'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');

clsids = make_list(
  '{bdd1f04b-858b-11d1-b16a-00c0f0283628}',
  '{996BF5E0-8044-4650-ADEB-0B013914E99C}',
  '{C74190B6-8589-11d1-B16A-00C0F0283628}',
  '{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}'
);

activex_report = NULL;
vuln = 0;

foreach clsid (clsids)
{
  # Make sure the control is installed
  file = activex_get_filename(clsid:clsid);
  if (isnull(file) || !file) continue;

  # Get its version
  version = activex_get_fileversion(clsid:clsid);
  if (!version) version = 'unknown';

  if ((version != 'unknown' && ver_compare(ver:version, fix:'6.1.98.33') < 0) && activex_get_killbit(clsid:clsid) == 0)
  {
    vuln++;
    if (!isnull(activex_report)) activex_report += '\n';
    activex_report +=
      '\n  Class identifier  : ' + clsid +
      '\n  Filename          : ' + file +
      '\n  Installed version : ' + version;
  }
}

activex_end();

analysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));
sql_ver_list = get_kb_list("mssql/installs/*/SQLVersion");
analysispath = NULL;
vfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));
vfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));
commerce_edition = get_kb_item('SMB/commerce_server/productname');
vb6_installed = FALSE;
office_version = hotfix_check_office_version();
owc2003_installed = FALSE;

biztalk_editions = make_list();
biztalk_installs = get_installs(app_name:"BizTalk Server");
if (!empty_or_null(biztalk_installs[1]))
{
  foreach biztalk_install (biztalk_installs[1])
    biztalk_editions = make_list(biztalk_editions, biztalk_install['Product Name']);
}

uninst_array = get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName');

foreach item (keys(uninst_array))
{
  name = uninst_array[item];

  if (name == 'Microsoft Office 2003 Web Components')
  {
    # determine if this is an 11.x or a 12.x
    ver_key = item - "DisplayName";
    ver_key += "DisplayVersion";
    owc_ver = get_kb_item_or_exit(ver_key);

   if (
     # OWC 2003 SP3 (11.0.8173.0)
     owc_ver =~ "^11\." &&
     ver_compare(ver:owc_ver, fix:'11.0.8173.0', strict:FALSE) >= 0
   )
     owc2003_installed = TRUE;
   else if (
     # OWC 2003 for 2007 SP2 (12.0.6425.1000)
     # OWC 2003 for 2007 SP3 (12.0.6607.1000); note this
     # branch is vuln and there's no need for an upper
     # boundary until (and if) an SP4 is released.
     owc_ver =~ "^12\." &&
     ver_compare(ver:owc_ver, fix:'12.0.6425.1000', strict:FALSE) >= 0
   )
     owc2003_for_office2007_installed = TRUE;

    break;
  }
}

if (vuln > 0 || analysis_svcs_installed)
{
  registry_init();
  hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

  # If the ActiveX stuff looks unpatched, try to determine which KBs are missing
  if (vuln > 0)
  {
    if (!isnull(get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\VisualStudio\6.0\Setup\Microsoft Visual Basic\ProductDir")))
      vb6_installed = TRUE;
  }

  # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed
  if (office_version['14.0'])
    office_bitness = get_registry_value(handle:hklm, item:"Software\Microsoft\Office\14.0\Outlook\Bitness");

  # get the SQL Server 200 Analysis Services path if it looks like it's installed
  if (analysis_svcs_installed)
  {
    analysispath = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL Server 2000 Analysis Services\InstallLocation");

    if (analysispath)
      analysispath += "\bin";
  }

  RegCloseKey(handle:hklm);
  close_registry();
}

prod_info = NULL;

if (vuln)
{
  activex_report = 'The following vulnerable controls do not have the kill bit set :\n' + activex_report;
  prod_info = NULL;

  if (office_version['11.0'] || owc2003_installed)
  {
    flag = TRUE;
    if (office_version['11.0'])
    {
      sp = get_kb_item("SMB/Office/2003/SP");
      if (!isnull(sp) && sp < 3) flag = FALSE; # < SP3 not reported
    }

    if (flag)
    {
      # KB923618 is Office 2003 SP3. KB2597112 will fail to install unless it's present, though it
      # doesn't make it clear that the failure is due to a lack of SP3
      prod_info +=
        '\n\nProduct        : Office 2003 / Office 2003 Web components' +
        '\nMissing update : KB2597112 (prerequisite: KB923618)';
      hotfix_add_report(bulletin:bulletin, kb:'2597112');
    }
  }
  if (office_version['12.0'] || owc2003_for_office2007_installed)
  {
    # If Office 2003 Web Components is ver. 12.x a different KB applies
    prod_info +=
      '\n\nProduct        : Office 2007 / Office 2003 Web Components' +
      '\nMissing update : KB2598041 (prerequisite: KB937961)';
    hotfix_add_report(bulletin:bulletin, kb:'2598041');
  }
  if (office_version['14.0'] && office_bitness != 'x64')
  {
    prod_info +=
      '\n\nProduct        : Office 2010' +
      '\nMissing update : KB2598039';
    hotfix_add_report(bulletin:bulletin, kb:'2598039');
  }
  if (vfp8_installed)
  {
    prod_info +=
      '\n\nProduct        : Visual FoxPro 8.0' +
      '\nMissing update : KB2647488';
    hotfix_add_report(bulletin:bulletin, kb:'2647488');
  }
  if (vfp9_installed)
  {
    prod_info +=
      '\n\nProduct        : Visual FoxPro 9.0' +
      '\nMissing update : KB2647490';
    hotfix_add_report(bulletin:bulletin, kb:'2647490');
  }
  if (vb6_installed)
  {
    # KB290887 is VB 6.0 Runtime SP6
    prod_info +=
      '\n\nProduct        : Visual Basic 6.0 Runtime' +
      '\nMissing update : KB2641426 (prerequisite: KB290887)';
    hotfix_add_report(bulletin:bulletin, kb:'2641426');
  }
  if ('2009 R2' >< commerce_edition)
  {
    prod_info +=
      '\n\nProduct        : Commerce Server 2009 R2' +
      '\nMissing update : KB2658676';
    hotfix_add_report(bulletin:bulletin, kb:'2658676');
  }
  else if ('2009' >< commerce_edition)
  {
    prod_info +=
      '\n\nProduct        : Commerce Server 2009' +
      '\nMissing update : KB2655547';
    hotfix_add_report(bulletin:bulletin, kb:'2655547');
  }
  if ('2007' >< commerce_edition)
  {
    prod_info +=
      '\n\nProduct        : Commerce Server 2007' +
      '\nMissing update : KB2658677';
    hotfix_add_report(bulletin:bulletin, kb:'2658677');
  }
  if ('2002' >< commerce_edition)
  {
    prod_info +=
      '\n\nProduct        : Commerce Server 2002' +
      '\nMissing update : KB2658674';
    hotfix_add_report(bulletin:bulletin, kb:'2658674');
  }
  if (max_index(biztalk_editions) > 0)
  {
    foreach biztalk_edition (biztalk_editions)
    {
      if ('2002' >< biztalk_edition)
      {
        prod_info +=
          '\n\nProduct        : BizTalk Server 2002' +
          '\nMissing update : KB2645025';
        hotfix_add_report(bulletin:bulletin, kb:'2645025');
      }
    }
  }
}

# the only other things to check are sql server 2000 and sql server 2000 analysis services.
# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing
if (vuln == 0 && isnull(analysispath) && isnull(sql_ver_list)) exit(0, 'The host is not affected.');

if (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');

# SQL Server 2000 Analysis Services
if (
  analysispath &&
  hotfix_is_vulnerable(path:analysispath, file:"Msmdadin.dll", version:"8.0.0.2302", min_version:"8.0.0.0", bulletin:bulletin, kb:"983807")
)
{
  vuln++;

  if (!isnull(activex_report))
  {
    prod_info +=
      '\n\nProduct        : SQL Server 2000 Analysis Services' +
      '\nMissing update : KB983807';
  }
}

foreach item (keys(sql_ver_list))
{
  item -= 'mssql/installs/';
  item -= '/SQLVersion';
  sqlpath = item;

  share = hotfix_path2share(path:sqlpath);
  if (!is_accessible_share(share:share)) continue;

  # SQL Server 2000
  # GDR
  if (hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2065.0", min_version:"2000.80.2000.0", bulletin:bulletin, kb:"983808"))
  {
    vuln++;

    if (!isnull(activex_report))
    {
      prod_info +=
        '\n\nProduct        : SQL Server 2000' +
        '\nMissing update : KB983808';
    }
  }
   # QFE
  else if(hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2301.0", min_version:"2000.80.2100.0", bulletin:bulletin, kb:"983809"))
  {
    vuln++;

    if (!isnull(activex_report))
    {
      prod_info +=
        '\n\nProduct        : SQL Server 2000' +
        '\nMissing update : KB983809';
    }
  }
}

if (vuln)
{
  if (isnull(prod_info)) exit(0, "None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.");

  if (!isnull(activex_report))
  {
    activex_report +=
      '\n\nNessus determined these controls are being used by the following applications :' +
      prod_info;

    if (hotfix_get_report())
      hotfix_add_report('\n' + activex_report, bulletin:bulletin);
    else
      hotfix_add_report(activex_report, bulletin:bulletin);
  }

  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-06-09T04:00:14.623-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameChandan S
    organizationSecPod Technologies
  • namePradeep R B
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Office 2003 SP3 is installed
    ovaloval:org.mitre.oval:def:15626
  • commentMicrosoft Office 2003 Web Components SP3 is installed
    ovaloval:org.mitre.oval:def:15325
  • commentMicrosoft Office 2007 SP2 is installed
    ovaloval:org.mitre.oval:def:15607
  • commentMicrosoft Office 2007 SP3 is installed
    ovaloval:org.mitre.oval:def:15704
  • commentMicrosoft Office 2010 SP1 x86 is installed
    ovaloval:org.mitre.oval:def:20819
  • commentMicrosoft Office 2010 is installed
    ovaloval:org.mitre.oval:def:12061
  • commentMicrosoft Office 2010 SP1 is installed
    ovaloval:org.mitre.oval:def:15198
  • commentMicrosoft Office 2010 SP2 is installed
    ovaloval:org.mitre.oval:def:17121
  • commentMicrosoft SQL Server 2005 SP4 is installed
    ovaloval:org.mitre.oval:def:12442
  • commentMicrosoft SQL Server 2008 SP2 is installed
    ovaloval:org.mitre.oval:def:12310
  • commentMicrosoft SQL Server 2008 SP3 is installed
    ovaloval:org.mitre.oval:def:15497
  • commentMicrosoft SQL Server 2008 R2 SP2 is installed
    ovaloval:org.mitre.oval:def:15803
  • commentMicrosoft SQL Server 2008 R2 is installed
    ovaloval:org.mitre.oval:def:12596
  • commentMicrosoft BizTalk Server 2002 is installed
    ovaloval:org.mitre.oval:def:15292
  • commentMicrosoft Commerce Server 2002 is installed
    ovaloval:org.mitre.oval:def:15304
  • commentMicrosoft Commerce Server 2007 is installed
    ovaloval:org.mitre.oval:def:15514
  • commentMicrosoft Commerce Server 2009 is installed
    ovaloval:org.mitre.oval:def:15443
  • commentMicrosoft Visual FoxPro is installed
    ovaloval:org.mitre.oval:def:14198
  • commentMicrosoft Visual Basic 6.0 is installed
    ovaloval:org.mitre.oval:def:15369
  • commentMicrosoft SQL Server 2000 Analysis Services SP4 is installed
    ovaloval:org.mitre.oval:def:15730
  • commentMicrosoft SQL Server 2000 SP4 is installed
    ovaloval:org.mitre.oval:def:15762
descriptionThe (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
familywindows
idoval:org.mitre.oval:def:15462
statusaccepted
submitted2012-04-10T13:00:00
titleMSCOMCTL.OCX RCE Vulnerability
version94

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/112176/ms12_027_mscomctl_bof.rb.txt
idPACKETSTORM:112176
last seen2016-12-05
published2012-04-25
reporterunknown
sourcehttps://packetstormsecurity.com/files/112176/MS12-027-MSCOMCTL-ActiveX-Buffer-Overflow.html
titleMS12-027 MSCOMCTL ActiveX Buffer Overflow

Saint

bid52911
descriptionMicrosoft Windows Common Controls MSCOMCTL.OCX Vulnerability
idwin_patch_office2007comctl,win_patch_office2010comctl
osvdb81125
titlewindows_common_controls_mscomctlocx
typeclient

Seebug

bulletinFamilyexploit
description来源: http://drops.wooyun.org/papers/9809 ### Microsoft Office 内存损坏漏洞 ### 0x01 漏洞概述 今年4月份微软修补了一个名为CVE-2015-1641的word类型混淆漏洞,攻击者可以构造嵌入了docx的rtf文档进行攻击。word在解析docx文档处理displacedByCustomXML属性时未对customXML对象进行验证,可以传入其他标签对象进行处理,造成类型混淆,导致任意内存写入,最终经过精心构造的标签以及对应的属性值可以造成远程任意代码执行。 根据微软官方MS15-33安全公告里显示,这个漏洞覆盖Office 2007 SP3,Office 2010 SP2(32位和64位),Office 2013 SP1(32位和64位),Office 2013RT SP1,Word for Mac 2011以及Office在SharePoint服务器上的Office 2010/2013和Office Web 2010/2013应用,除此之外,经过验证Office 2010 SP1也受该漏洞的影响,但是微软针对该漏洞在2010上的补丁KB2553428并未推出SP1版本,因此SP1版本的Office 2010到目前即使更新所有补丁仍然存在该漏洞。 CVE-2015-1641这个漏洞的触发非常稳定,几乎影响微软目前所支持的所有office版本(最新推出的Office 2016除外),影响范围十分广泛。目前无论是在VirusTotal还是在野外抓到的样本,利用这个漏洞的攻击样本已经开始逐渐增加。根据以上原因可以推断,在今后很长的一段时间内都会存在该漏洞的攻击,并且有替代CVE-2012-0158的趋势。 ### 0x02 漏洞原因分析 使用阿里谛听引擎扫描RTF文档,解析出其中的一个word文档的document.xml中有如下代码,包含了4个smartTag标签,每个smartTag中又有permStart标签,而在permStart标签中的则是带有displacedByCustomXml属性的moveFromRangeStart和moveFromRangeEnd标签: ![](https://images.seebug.org/contribute/6a0ac989-3658-4f53-a950-1db5c9cc700d-2_1.png) 首先来说明一下几个标签及属性的作用。smartTag标签是用于word和excel中的智能标签,针对人名、日期、时间、地址、电话号码等进行智能识别并允许用户执行特定操作的标签。比如如果Steve Jobs被识别为人名,则smartTag标签可以执行诸如打开通讯录、添加到联系人、预约会议等操作,给office用户提供更多自定义的智能选择。displacedByCustomXml在很多标签中都可以使用,目的是当前标签处需要被一个customXML中的内容代替,它的值是next表示被下一个customXML代替,prev则表示被上一个代替。 这个漏洞是一个类型混淆漏洞,本来带有displacedByCustomXml的标签会被上一个或下一个customXML代替,但是word没有对传入的customXML对象进行严格的校验,导致可以传入诸如smartTag对象,然而smartTag对象的处理流程和customXML并不相同,上述特殊处理的smartTag标签中的element属性值会被当作是一个地址,随后经过简单的计算得到另一个地址。最后处理流程会将moveFromRangeEnd的id值覆盖到之前计算出来的地址中,导致任意内存写入,漏洞代码如下: ![](https://images.seebug.org/contribute/ead610a2-7f02-4fe8-b144-9749e4280541-2_2.png) 通过下面的补丁对比可以很容易看到打上最新补丁的word代码增加了对customXML对象处理函数的校验: ![](https://images.seebug.org/contribute/74ced04c-18f2-453a-ba07-07d3b2c6524f-2_3.png) ### 0x03 漏洞利用分析 利用的分析环境为win7 64位+office2010 sp2 32位。 虽然这上面有4个smartTag标签,但就目前分析来看,前两个标签是漏洞利用的关键。首在解析第一个smartTag标签时会把其moveFromRangeEnd子标签的id进行解析,然后写到0x7c38bd74这个地址中去,这个地址是根据smartTag的element即0x7c38bd50计算出来的: ![](https://images.seebug.org/contribute/e89076e6-dbbe-4524-8be0-4ddbbec27701-2_4.png) 然后解析第二个smartTag标签,esi指向的内存就是smartTag的结构体,esi+4的内容是element属性值: ![](https://images.seebug.org/contribute/cb114d22-591b-4c70-ad6e-42abcd874ca9-2_5.png) 而eax的值为0x7C376FC3,刚好就是moveFromRangeEnd对象id "2084007875"的十六进制值: ![](https://images.seebug.org/contribute/dd520af8-ab6f-417f-8963-2e9f9cfd7528-2_6.png) 然后覆盖MSVCR71.dll中0x7c38a428,这是一个虚函数的指针,而0x7c38a428这个地址是通过当前smartTag的element属性值即0x7c38bd68和第一个smartTag标签中moveFromRangeStart的id共同计算出来的: ![](https://images.seebug.org/contribute/5d6c1af8-6122-497b-9837-4cebd57af20d-2_7.png) 调试可以看到如下内存,ecx的内存如下,ecx+0xc就是上面解析第一个smartTag标签时写入的值,最终计算得到的被覆盖的地址便是0x7c38a428: ![](https://images.seebug.org/contribute/5516fe40-e52c-4f41-b4d8-ccd32fdc388c-2_8.png) 而在覆盖之前0x7c38a428处的指针指向kernel32! FlsGetValue: ![](https://images.seebug.org/contribute/178fe14a-4847-459d-950c-24888d7b6afa-3_1.png) 最后调用memcpy函数进行覆盖: ![](https://images.seebug.org/contribute/4d63192d-836b-411f-bde3-049f0b247dab-3_2.png) 覆盖之后的0x7c38a428指向的便是攻击者想要执行的代码位置: ![](https://images.seebug.org/contribute/0b239945-14cb-4948-a4a8-0e9e25f10ac4-3_3.png) 总结一下利用流程如下:首先smartTag_1(第一个smartTag标签)的element属性值进行简单计算得到一个地址addr1,然后将其moveFromRangeEnd_1子标签的id写入到addr1中备用;然后解析smartTag_2,根据他的element属性值和前面计算出来的addr1共同计算出另一个地址addr2,并将其子标签moveFromRangeEnd_2的id写入到addr2,而addr2是一个虚函数表中的地址,这样原本是这个虚函数的地址就被覆盖成攻击者想要执行的任意代码的地址,漏洞利用成功。 word在office2010的环境下没有打补丁的情况下执行的堆喷射后的地址为0x0900080C,如下: ![](https://images.seebug.org/contribute/836bdf37-6e26-477f-a428-84ffdedfae96-3_4.png) 看到这段内存想必都已经清楚了,这里就是RTF文档释放的activeX.bin文件的内容,而0x7c342404处的代码是ret,因此这里会一直执行ret直到到达最终ROP的位置,ROP链如下: ![](https://images.seebug.org/contribute/e378b3e2-d257-4b11-a0e2-f304c5a3666c-3_5.png) 毫无疑问ROP的作用还是调用VirtualProtect函数对当前这块内存添加可执行权限: ![](https://images.seebug.org/contribute/7c2ab417-72e1-48d6-9063-d510a0295dbb-3_6.png) 获得执行权限之后开始执行shellcode: ![](https://images.seebug.org/contribute/6354c396-2cb7-438a-99e2-91363edb2388-3_7.png) ### 0x04 漏洞利用检测 想要检测这个漏洞的攻击样本必须要先从rtf文档提取出docx然后获取到document.xml,yara规则如下: ``` rule CVE_2015_1641 { meta: description="Word Type Confusion Vulnerability" output="Nday & CVE-2015-1641" strings: $smart_tag=/<w:smartTag[\w\W]+?w:element=\"(&#x[a-zA-Z0-9]{4};){2}\">[\w\W]+?<w:permStart[\w\W]+?w:displacedByCustomXml=\"prev\"\/>[\w\W]+?<w:permEnd[\w\W]+?<\/w:smartTag>/ condition: $smart_tag } ``` 上面的规则匹配其实就是一个正则匹配,从左到右流程如下:1.匹配到smartTag标签,查看其element属性是否为十六进制数值作为地址;2.在smartTag标签中匹配到permStart标签,在它的属性或子标签的属性中存在displacedByCustomXml="prev"。满足上述两个条件则认为就是这个漏洞的攻击样本。依据上面的yara规则检测该攻击样本的document.xml结果如下: ![](https://images.seebug.org/contribute/7ba80566-8581-4ebc-bcd7-074bcc08380e-3_8.png)
idSSV:90202
last seen2017-11-19
modified2015-12-31
published2015-12-31
reporterkalicc
titleMicrosoft Office 内存损坏漏洞(CVE-2015-1641)

The Hacker News