Vulnerabilities > CVE-2012-1851 - Use of Externally-Controlled Format String vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-134
nessus
NVD
Published: 2012-08-15
Updated: 2023-12-07

Summary

Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka "Print Spooler Service Format String Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
13

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Msbulletin

bulletin_idMS12-054
bulletin_url
date2012-08-14T00:00:00
impactRemote Code Execution
knowledgebase_id2733594
knowledgebase_url
severityCritical
titleVulnerabilities in Windows Networking Components Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-054.NASL
descriptionThe remote Windows host is potentially affected by the following vulnerabilities : - A denial of service vulnerability exists in Windows networking components. The vulnerability is due to the service not properly handling specially crafted RAP requests. (CVE-2012-1850) - A remote code execution vulnerability exists in the Windows Print Spooler service that can allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. (CVE-2012-1851) - A remote code execution vulnerability exists in the way that Windows networking components handle specially crafted RAP responses. (CVE-2012-1852, CVE-2012-1853)
last seen2020-06-01
modified2020-06-02
plugin id61529
published2012-08-15
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/61529
titleMS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
code

# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(61529);
  script_version("1.12");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id(
    "CVE-2012-1850",
    "CVE-2012-1851",
    "CVE-2012-1852",
    "CVE-2012-1853"
  );
  script_bugtraq_id(54921, 54928, 54931, 54940);
  script_xref(name:"MSFT", value:"MS12-054");
  script_xref(name:"IAVA", value:"2012-A-0137");
  script_xref(name:"MSKB", value:"2705219");
  script_xref(name:"MSKB", value:"2712808");

  script_name(english:"MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)");
  script_summary(english:"Checks version of netapi32.dll and localspl.dll");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host is potentially affected by multiple code
execution vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host is potentially affected by the following
vulnerabilities :

  - A denial of service vulnerability exists in Windows
    networking components.  The vulnerability is due to the
    service not properly handling specially crafted RAP
    requests. (CVE-2012-1850)

  - A remote code execution vulnerability exists in the
    Windows Print Spooler service that can allow a remote,
    unauthenticated attacker to execute arbitrary code on
    an affected system. (CVE-2012-1851)

  - A remote code execution vulnerability exists in the
    way that Windows networking components handle
    specially crafted RAP responses.
    (CVE-2012-1852, CVE-2012-1853)"
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-054");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS12-054";
kbs = make_list("2705219","2712808");

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
 # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"netapi32.dll", version:"6.1.7600.17056", min_version:"6.1.7600.16000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"netapi32.dll", version:"6.1.7600.21256", min_version:"6.1.7600.20000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"netapi32.dll", version:"6.1.7601.17887", min_version:"6.1.7601.17000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"netapi32.dll", version:"6.1.7601.22044", min_version:"6.1.7601.21000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"localspl.dll", version:"6.1.7600.17023", min_version:"6.1.7600.16000",    dir:"\System32", bulletin:bulletin, kb:"2712808") ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"localspl.dll", version:"6.1.7600.21214",  min_version:"6.1.7600.20000",   dir:"\System32", bulletin:bulletin, kb:"2712808") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"localspl.dll", version:"6.1.7601.17841",  min_version:"6.1.7601.17000",   dir:"\System32", bulletin:bulletin, kb:"2712808") ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"localspl.dll", version:"6.1.7601.21994",  min_version:"6.1.7601.21000",   dir:"\System32", bulletin:bulletin, kb:"2712808") ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"netapi32.dll", version:"6.0.6002.18659", min_version:"6.0.6002.18000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"netapi32.dll", version:"6.0.6002.22887", min_version:"6.0.6002.22000",    dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"localspl.dll", version:"6.0.6002.18631", min_version:"6.0.6002.18000",    dir:"\System32", bulletin:bulletin, kb:"2712808") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"localspl.dll", version:"6.0.6002.22857", min_version:"6.0.6002.22000",    dir:"\System32", bulletin:bulletin, kb:"2712808") ||

  # Windows 2003 and XP x64
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"netapi32.dll", version:"5.2.3790.5030",                                   dir:"\System32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"localspl.dll", version:"5.2.3790.5002",                                   dir:"\System32", bulletin:bulletin, kb:"2712808") ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"netapi32.dll", version:"5.1.2600.6260",                                   dir:"\system32", bulletin:bulletin, kb:"2705219") ||
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"localspl.dll", version:"5.1.2600.6226",                                   dir:"\system32", bulletin:bulletin, kb:"2712808")
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-03-03T04:00:51.389-05:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows 7 is installed
    ovaloval:org.mitre.oval:def:12541
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
  • commentMicrosoft Windows 7 (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12292
  • commentMicrosoft Windows 7 x64 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12627
  • commentMicrosoft Windows Server 2008 R2 x64 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12567
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12583
descriptionFormat string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted response, aka "Print Spooler Service Format String Vulnerability."
familywindows
idoval:org.mitre.oval:def:15531
statusaccepted
submitted2012-08-20T15:13:07
titlePrint Spooler Service Format String Vulnerability - MS12-054
version76

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:54928 CVE ID:CVE-2012-1851 Microsoft Windows是一款流行的操作系统。 Microsoft Windows的Print Spooler服务存在格式串漏洞,允许攻击者通过构建特制的应答触发典型的格式串漏洞,可以服务进程上下文执行任意代码。 0 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows vista Microsoft Windows Server 2008 Microsoft Windows 7 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://technet.microsoft.com/en-us/security/bulletin/ms12-054
idSSV:60332
last seen2017-11-19
modified2012-08-18
published2012-08-18
reporterRoot
titleMicrosoft Windows Print Spooler 远程代码执行漏洞(CVE-2012-1851)

References