Vulnerabilities > CVE-2012-1851 - Use of Externally-Controlled Format String vulnerability in Microsoft products

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

CWE-134

nessus

NVD

Published: 2012-08-15

Updated: 2024-11-21

Summary

Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka "Print Spooler Service Format String Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows Server 2008 * Microsoft Windows XP - Microsoft Windows XP * Microsoft Windows 7 * Microsoft Windows Server 2003 * Microsoft Windows Vista *	13

Common Weakness Enumeration (CWE)

CWE-134 - Use of Externally-Controlled Format String

Common Attack Pattern Enumeration and Classification (CAPEC)

Format String Injection
An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Msbulletin

bulletin_id	MS12-054
bulletin_url
date	2012-08-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	2733594
knowledgebase_url
severity	Critical
title	Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS12-054.NASL
description	The remote Windows host is potentially affected by the following vulnerabilities : - A denial of service vulnerability exists in Windows networking components. The vulnerability is due to the service not properly handling specially crafted RAP requests. (CVE-2012-1850) - A remote code execution vulnerability exists in the Windows Print Spooler service that can allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. (CVE-2012-1851) - A remote code execution vulnerability exists in the way that Windows networking components handle specially crafted RAP responses. (CVE-2012-1852, CVE-2012-1853)
last seen	2020-06-01
modified	2020-06-02
plugin id	61529
published	2012-08-15
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/61529
title	MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
code	# (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61529); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2012-1850", "CVE-2012-1851", "CVE-2012-1852", "CVE-2012-1853" ); script_bugtraq_id(54921, 54928, 54931, 54940); script_xref(name:"MSFT", value:"MS12-054"); script_xref(name:"IAVA", value:"2012-A-0137"); script_xref(name:"MSKB", value:"2705219"); script_xref(name:"MSKB", value:"2712808"); script_name(english:"MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)"); script_summary(english:"Checks version of netapi32.dll and localspl.dll"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host is potentially affected by multiple code execution vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote Windows host is potentially affected by the following vulnerabilities : - A denial of service vulnerability exists in Windows networking components. The vulnerability is due to the service not properly handling specially crafted RAP requests. (CVE-2012-1850) - A remote code execution vulnerability exists in the Windows Print Spooler service that can allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. (CVE-2012-1851) - A remote code execution vulnerability exists in the way that Windows networking components handle specially crafted RAP responses. (CVE-2012-1852, CVE-2012-1853)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-054"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = "MS12-054"; kbs = make_list("2705219","2712808"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:0, file:"netapi32.dll", version:"6.1.7600.17056", min_version:"6.1.7600.16000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.1", sp:0, file:"netapi32.dll", version:"6.1.7600.21256", min_version:"6.1.7600.20000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"netapi32.dll", version:"6.1.7601.17887", min_version:"6.1.7601.17000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"netapi32.dll", version:"6.1.7601.22044", min_version:"6.1.7601.21000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.1", sp:0, file:"localspl.dll", version:"6.1.7600.17023", min_version:"6.1.7600.16000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| hotfix_is_vulnerable(os:"6.1", sp:0, file:"localspl.dll", version:"6.1.7600.21214", min_version:"6.1.7600.20000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"localspl.dll", version:"6.1.7601.17841", min_version:"6.1.7601.17000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"localspl.dll", version:"6.1.7601.21994", min_version:"6.1.7601.21000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"netapi32.dll", version:"6.0.6002.18659", min_version:"6.0.6002.18000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"netapi32.dll", version:"6.0.6002.22887", min_version:"6.0.6002.22000", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"localspl.dll", version:"6.0.6002.18631", min_version:"6.0.6002.18000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"localspl.dll", version:"6.0.6002.22857", min_version:"6.0.6002.22000", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| # Windows 2003 and XP x64 hotfix_is_vulnerable(os:"5.2", sp:2, file:"netapi32.dll", version:"5.2.3790.5030", dir:"\System32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"localspl.dll", version:"5.2.3790.5002", dir:"\System32", bulletin:bulletin, kb:"2712808") \|\| # Windows XP 32-bit hotfix_is_vulnerable(os:"5.1", sp:3, file:"netapi32.dll", version:"5.1.2600.6260", dir:"\system32", bulletin:bulletin, kb:"2705219") \|\| hotfix_is_vulnerable(os:"5.1", sp:3, file:"localspl.dll", version:"5.1.2600.6226", dir:"\system32", bulletin:bulletin, kb:"2712808") ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-03-03T04:00:51.389-05:00

class

vulnerability

contributors

name SecPod Team
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:6124
comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:5594
comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
oval oval:org.mitre.oval:def:5653
comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6216
comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
oval oval:org.mitre.oval:def:6150
comment Microsoft Windows 7 is installed
oval oval:org.mitre.oval:def:12541
comment Microsoft Windows Server 2008 R2 x64 Edition is installed
oval oval:org.mitre.oval:def:6438
comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
oval oval:org.mitre.oval:def:5954
comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed
oval oval:org.mitre.oval:def:12292
comment Microsoft Windows 7 x64 Service Pack 1 is installed
oval oval:org.mitre.oval:def:12627
comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
oval oval:org.mitre.oval:def:12567
comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
oval oval:org.mitre.oval:def:12583

description

family

windows

oval:org.mitre.oval:def:15531

status

accepted

submitted

2012-08-20T15:13:07

title

Print Spooler Service Format String Vulnerability - MS12-054

version

Seebug

bulletinFamily	exploit
description	Bugtraq ID:54928 CVE ID:CVE-2012-1851 Microsoft Windows是一款流行的操作系统。 Microsoft Windows的Print Spooler服务存在格式串漏洞，允许攻击者通过构建特制的应答触发典型的格式串漏洞，可以服务进程上下文执行任意代码。 0 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows vista Microsoft Windows Server 2008 Microsoft Windows 7 厂商解决方案用户可参考如下供应商提供的安全公告获得补丁信息： http://technet.microsoft.com/en-us/security/bulletin/ms12-054
id	SSV:60332
last seen	2017-11-19
modified	2012-08-18
published	2012-08-18
reporter	Root
title	Microsoft Windows Print Spooler 远程代码执行漏洞(CVE-2012-1851)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References