Vulnerabilities > CVE-2012-1856 - Code Injection vulnerability in Microsoft products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-94

critical

nessus

NVD

Published: 2012-08-15

Updated: 2018-11-07

Summary

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Commerce Server 2002 Microsoft Commerce Server 2007 Microsoft Commerce Server 2009 Microsoft Host Integration Server 2004 Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office WEB Components 2003 Microsoft SQL Server 2000 Microsoft SQL Server 2005 Microsoft SQL Server 2008 Microsoft Visual Basic 6.0 Microsoft Visual Foxpro 8.0 Microsoft Visual Foxpro 9.0	34

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Msbulletin

bulletin_id	MS12-060
bulletin_url
date	2012-08-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	2720573
knowledgebase_url
severity	Critical
title	Vulnerability in Windows Common Controls Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS12-060.NASL
description	There is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit this by tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution.
last seen	2020-06-01
modified	2020-06-02
plugin id	61535
published	2012-08-15
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/61535
title	MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61535); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2012-1856"); script_bugtraq_id(54948); script_xref(name:"MSFT", value:"MS12-060"); script_xref(name:"MSKB", value:"983811"); script_xref(name:"MSKB", value:"983812"); script_xref(name:"MSKB", value:"983813"); script_xref(name:"MSKB", value:"2597986"); script_xref(name:"MSKB", value:"2687441"); script_xref(name:"MSKB", value:"2726929"); script_xref(name:"MSKB", value:"2708437"); script_xref(name:"MSKB", value:"2708940"); script_xref(name:"MSKB", value:"2708941"); script_xref(name:"MSKB", value:"2711207"); script_xref(name:"MSKB", value:"2716389"); script_xref(name:"MSKB", value:"2716390"); script_xref(name:"MSKB", value:"2716392"); script_xref(name:"MSKB", value:"2716393"); script_name(english:"MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)"); script_summary(english:"Checks for kill bit"); script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a code execution vulnerability."); script_set_attribute(attribute:"description", value: "There is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit this by tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution."); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524144/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-060"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Microsoft Office 2003, 2007, and 2010, Office 2003 Web Components, Microsoft SQL Server 2000, Microsoft SQL Analysis Services 2000, Microsoft Commerce Server 2002, 2007, and 2009, Microsoft Host Integration Server 2004, Microsoft Visual Fox Pro 8.0 and 9.0, and Visual Basic 6.0 Runtime."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:commerce_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:host_integration_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_foxpro"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_basic"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_components"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "mssql_version.nasl", "commerce_server_installed.nasl", "foxpro_installed.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include('audit.inc'); include('smb_func.inc'); include('smb_hotfixes.inc'); include('smb_activex_func.inc'); include('smb_hotfixes_fcheck.inc'); include('smb_reg_query.inc'); include('misc_func.inc'); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS12-060'; kbs = make_list( '983811', '983812', '983813', '2597986', '2687441', '2726929', '2708437', '2708940', '2708941', '2711207', '2716389', '2716390', '2716392', '2716393' ); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init'); clsids = make_list( '{1EFB6596-857C-11D1-B16A-00C0F0283628}',# MSComCtl.ocx (TabStrip) '{24B224E0-9545-4A2F-ABD5-86AA8A849385}',# MSComCtl.ocx (TabStrip2) '{9ED94440-E5E8-101B-B9B5-444553540000}' # Comctl32.ocx (TabStrip) ); activex_report = NULL; comctl132_vuln = FALSE; mscomctl_vuln = FALSE; vuln = FALSE; foreach clsid (clsids) { # Make sure the control is installed file = activex_get_filename(clsid:clsid); if (isnull(file) \|\| !file) continue; # Get its version version = activex_get_fileversion(clsid:clsid); if (!version) version = 'unknown'; if ( activex_get_killbit(clsid:clsid) == 0 && ( (version =~ "^6\.0\." && ver_compare(ver:version, fix:'6.0.98.34') < 0) \|\| (version =~ "^6\.1\." && ver_compare(ver:version, fix:'6.1.98.34') < 0) ) ) { vuln = TRUE; if (clsid == '{9ED94440-E5E8-101B-B9B5-444553540000}') comctl132_vuln = TRUE; else mscomctl_vuln = TRUE; if(!isnull(activex_report)) activex_report += '\n'; activex_report += '\n Class identifier : ' + clsid + '\n Filename : ' + file + '\n Installed version : ' + version; } } activex_end(); analysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName')); sql_ver_list = get_kb_list("mssql/installs//SQLVersion"); analysispath = NULL; vfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path')); vfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path')); commerce_edition = get_kb_item('SMB/commerce_server/productname'); vb6_installed = FALSE; office_version = hotfix_check_office_version(); owc2003_installed = FALSE; his2004_installed = FALSE; foreach name (get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall//DisplayName')) { if (name == 'Microsoft Office 2003 Web Components') owc2003_installed = TRUE; if (name == 'Microsoft Host Integration Server 2004') his2004_installed = TRUE; # break early if possible if(owc2003_installed == TRUE && his2004_installed == TRUE) break; } if (vuln \|\| analysis_svcs_installed) { registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # If the ActiveX stuff looks unpatched, try to determine which KBs are missing if (vuln) { if (!isnull(get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\VisualStudio\6.0\Setup\Microsoft Visual Basic\ProductDir"))) vb6_installed = TRUE; } # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed if (office_version['14.0']) office_bitness = get_registry_value(handle:hklm, item:"Software\Microsoft\Office\14.0\Outlook\Bitness"); # get the SQL Server 200 Analysis Services path if it looks like it's installed if (analysis_svcs_installed) { analysispath = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL Server 2000 Analysis Services\InstallLocation"); if (analysispath) analysispath += "\bin"; } RegCloseKey(handle:hklm); close_registry(); } prod_info = NULL; if (vuln) { activex_report = 'The following vulnerable controls do not have the kill bit set :\n' + activex_report; prod_info = NULL; if ((office_version['11.0'] \|\| owc2003_installed) && mscomctl_vuln) { # KB923618 is Office 2003 SP3. KB2726929 will fail to install unless it's present, though it # doesn't make it clear that the failure is due to a lack of SP3 prod_info += '\n' + '\n Product : Office 2003 / Office 2003 Web components' + '\n Missing Update : KB2726929 (prerequisite: KB923618)'; hotfix_add_report(bulletin:bulletin, kb:'2726929'); } if (office_version['12.0'] && mscomctl_vuln) { prod_info += '\n' + '\n Product : Office 2007' + '\n Missing Update : KB2687441'; hotfix_add_report(bulletin:bulletin, kb:'2687441'); } if (office_version['14.0'] && office_bitness != 'x64' && mscomctl_vuln) { prod_info += '\n' + '\n Product : Office 2010' + '\n Missing Update : KB2597986'; hotfix_add_report(bulletin:bulletin, kb:'2597986'); } if (vfp8_installed) { prod_info += '\n' + '\n Product : Visual FoxPro 8.0' + '\n Missing Update : KB2708940'; hotfix_add_report(bulletin:bulletin, kb:'2708940'); } if (vfp9_installed) { prod_info += '\n' + '\n Product : Visual FoxPro 9.0' + '\n Missing Update : KB2708941'; hotfix_add_report(bulletin:bulletin, kb:'2708941'); } if (vb6_installed) { # KB290887 is VB 6.0 Runtime SP6 prod_info += '\n' + '\n Product : Visual Basic 6.0 Runtime' + '\n Missing Update : KB2708437 (prerequisite: KB290887)'; hotfix_add_report(bulletin:bulletin, kb:'2708437'); } if (his2004_installed && comctl132_vuln) { prod_info += '\n' + '\n Product : Host Integration Server 2004' + '\n Missing Update : KB2711207'; hotfix_add_report(bulletin:bulletin, kb:'2711207'); } if ('2009 R2' >< commerce_edition && mscomctl_vuln) { prod_info += '\n' + '\n Product : Commerce Server 2009 R2' + '\n Missing Update : KB2716393'; hotfix_add_report(bulletin:bulletin, kb:'2716393'); } else if ('2009' >< commerce_edition && mscomctl_vuln) { prod_info += '\n' + '\n Product : Commerce Server 2009' + '\n Missing Update : KB2716392'; hotfix_add_report(bulletin:bulletin, kb:'2716392'); } if ('2007' >< commerce_edition && mscomctl_vuln) { prod_info += '\n' + '\n Product : Commerce Server 2007' + '\n Missing Update : KB2716390'; hotfix_add_report(bulletin:bulletin, kb:'2716390'); } if ('2002' >< commerce_edition && mscomctl_vuln) { prod_info += '\n' + '\n Product : Commerce Server 2002' + '\n Missing Update : KB2716389'; hotfix_add_report(bulletin:bulletin, kb:'2716389'); } } # the only other things to check are sql server 2000 and sql server 2000 analysis services. # if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing if (!vuln && isnull(analysispath) && isnull(sql_ver_list)) exit(0, 'The host is not affected.'); if (!is_accessible_share()) audit(AUDIT_FN_FAIL, 'is_accessible_share()'); # SQL Server 2000 Analysis Services if ( analysispath && hotfix_is_vulnerable(path:analysispath, file:"Msmdadin.dll", version:"8.0.0.2304", min_version:"8.0.0.0", bulletin:bulletin, kb:"983813") ) { vuln = TRUE; if (!isnull(activex_report)) { prod_info += '\n' + '\n Product : SQL Server 2000 Analysis Services' + '\n Missing Update : KB983813'; } } foreach item (keys(sql_ver_list)) { item -= 'mssql/installs/'; item -= '/SQLVersion'; sqlpath = item; share = hotfix_path2share(path:sqlpath); if (!is_accessible_share(share:share)) continue; # GDR if (hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2066.0", min_version:"2000.80.2000.0", bulletin:bulletin, kb:"983812")) { vuln = TRUE; if (!isnull(activex_report)) { prod_info += '\n' + '\n Product : SQL Server 2000' + '\n Missing Update : KB983812'; } } # QFE else if(hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2305.0", min_version:"2000.80.2100.0", bulletin:bulletin, kb:"983811")) { vuln = TRUE; if (!isnull(activex_report)) { prod_info += '\n' + '\n Product : SQL Server 2000' + '\n Missing Update : KB983811'; } } } if (vuln) { if (isnull(prod_info)) exit(0, "None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application."); if (!isnull(activex_report)) { activex_report += '\n\nNessus determined these controls are being used by the following applications :' + prod_info; if (hotfix_get_report()) hotfix_add_report('\n' + activex_report, bulletin:bulletin); else hotfix_add_report(activex_report, bulletin:bulletin); } set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-06-09T04:00:13.929-04:00

class

vulnerability

contributors

name SecPod Team
organization SecPod Technologies
name Chandan S
organization SecPod Technologies
name Pradeep R B
organization SecPod Technologies
name Pradeep R B
organization SecPod Technologies
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment Microsoft Office 2003 SP3 is installed
oval oval:org.mitre.oval:def:15626
comment Microsoft Office 2003 Web Components SP3 is installed
oval oval:org.mitre.oval:def:15325
comment Microsoft Office 2010 SP1 is installed
oval oval:org.mitre.oval:def:15198
comment Microsoft Office 2007 SP2 is installed
oval oval:org.mitre.oval:def:15607
comment Microsoft Office 2007 SP3 is installed
oval oval:org.mitre.oval:def:15704
comment Microsoft SQL Server 2008 SP3 is installed
oval oval:org.mitre.oval:def:15497
comment Microsoft SQL Server 2008 R2 SP1 is installed
oval oval:org.mitre.oval:def:15808
comment Microsoft SQL Server 2008 R2 is installed
oval oval:org.mitre.oval:def:12596
comment Microsoft SQL Server 2008 SP2 is installed
oval oval:org.mitre.oval:def:12310
comment Microsoft SQL Server 2008 R2 SP2 is installed
oval oval:org.mitre.oval:def:15803
comment Microsoft SQL Server 2005 SP4 is installed
oval oval:org.mitre.oval:def:12442
comment Microsoft Commerce Server 2002 SP4 is installed
oval oval:org.mitre.oval:def:15722
comment Microsoft Commerce Server 2007 SP2 is installed
oval oval:org.mitre.oval:def:15552
comment Microsoft Commerce Server 2009 is installed
oval oval:org.mitre.oval:def:15443
comment Microsoft Commerce Server 2009 R2 is installed
oval oval:org.mitre.oval:def:15274
comment Microsoft Visual FoxPro is installed
oval oval:org.mitre.oval:def:14198
comment Microsoft Visual FoxPro is installed
oval oval:org.mitre.oval:def:14198
comment Microsoft Host Integration Server 2004 SP1 is installed
oval oval:org.mitre.oval:def:5430
comment Microsoft Visual Basic 6.0 is installed
oval oval:org.mitre.oval:def:15369
comment Microsoft SQL Server 2000 Analysis Services SP4 is installed
oval oval:org.mitre.oval:def:15730
comment Microsoft SQL Server 2000 SP4 is installed
oval oval:org.mitre.oval:def:15762

description

family

windows

oval:org.mitre.oval:def:15447

status

accepted

submitted

2012-08-21T11:30:57

title

MSCOMCTL.OCX RCE Vulnerability - MS12-060

version

Seebug

bulletinFamily	exploit
description	Bugtraq ID:54948 CVE ID:CVE-2012-1856 Microsoft Windows是一款流行的操作系统。 Microsoft Windows多个产品使用的MSCOMCTL.OCX中的通用控件TabStrip ActiveX控件存在漏洞，允许攻击者构建特制的文档或WEB页面，诱使用户解析，可破坏内存，可以应用程序上下文执行任意代码。目前此漏洞已经在网络上积极利用。 0 Microsoft Commerce Server 2002 Microsoft Commerce Server 2007 Microsoft Commerce Server 2009 Microsoft Host Integration Server 2004 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2003 Web Components Microsoft Office 2007 Microsoft Office 2010 Microsoft SQL Server 2000 Microsoft SQL Server 2000 Analysis Services Microsoft SQL Server 2005 Microsoft SQL Server 2005 Compact Edition 3.x Microsoft SQL Server 2005 Express Edition Microsoft SQL Server 2008 Microsoft Visual Basic 6.x Microsoft Visual FoxPro 8.x Microsoft Visual FoxPro 9.x 厂商解决方案用户可参考如下供应商提供的安全公告获得补丁信息： http://technet.microsoft.com/en-us/security/bulletin/ms12-060
id	SSV:60330
last seen	2017-11-19
modified	2012-08-18
published	2012-08-18
reporter	Root
title	Microsoft Windows通用控件ActiveX控件远程代码执行漏洞

The Hacker News

id	THN:59AA6ADFEEB67D7E156CDF3579330697
last seen	2017-01-08
modified	2013-09-27
published	2013-09-27
reporter	Mohit Kumar
source	http://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html
title	Chinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

The Hacker News

References