Vulnerabilities > CVE-2012-1856 - Unspecified vulnerability in Microsoft products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
microsoft
nessus

Summary

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

Msbulletin

bulletin_idMS12-060
bulletin_url
date2012-08-14T00:00:00
impactRemote Code Execution
knowledgebase_id2720573
knowledgebase_url
severityCritical
titleVulnerability in Windows Common Controls Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-060.NASL
descriptionThere is an unspecified remote code execution vulnerability in Windows common controls, which is included in several Microsoft products. An attacker could exploit this by tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id61535
published2012-08-15
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/61535
titleMS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(61535);
  script_version("1.25");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2012-1856");
  script_bugtraq_id(54948);
  script_xref(name:"MSFT", value:"MS12-060");
  script_xref(name:"MSKB", value:"983811");
  script_xref(name:"MSKB", value:"983812");
  script_xref(name:"MSKB", value:"983813");
  script_xref(name:"MSKB", value:"2597986");
  script_xref(name:"MSKB", value:"2687441");
  script_xref(name:"MSKB", value:"2726929");
  script_xref(name:"MSKB", value:"2708437");
  script_xref(name:"MSKB", value:"2708940");
  script_xref(name:"MSKB", value:"2708941");
  script_xref(name:"MSKB", value:"2711207");
  script_xref(name:"MSKB", value:"2716389");
  script_xref(name:"MSKB", value:"2716390");
  script_xref(name:"MSKB", value:"2716392");
  script_xref(name:"MSKB", value:"2716393");

  script_name(english:"MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)");
  script_summary(english:"Checks for kill bit");

  script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"There is an unspecified remote code execution vulnerability in Windows
common controls, which is included in several Microsoft products. An
attacker could exploit this by tricking a user into viewing a
maliciously crafted web page, resulting in arbitrary code execution.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524144/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-060");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Microsoft Office 2003,
2007, and 2010, Office 2003 Web Components, Microsoft SQL Server 2000,
Microsoft SQL Analysis Services 2000, Microsoft Commerce Server 2002,
2007, and 2009, Microsoft Host Integration Server 2004, Microsoft
Visual Fox Pro 8.0 and 9.0, and Visual Basic 6.0 Runtime.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:commerce_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:host_integration_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_foxpro");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_basic");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_components");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "mssql_version.nasl", "commerce_server_installed.nasl", "foxpro_installed.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('audit.inc');
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_activex_func.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
include('misc_func.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS12-060';
kbs = make_list(
  '983811',
  '983812',
  '983813',
  '2597986',
  '2687441',
  '2726929',
  '2708437',
  '2708940',
  '2708941',
  '2711207',
  '2716389',
  '2716390',
  '2716392',
  '2716393'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Uninstall/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');

clsids = make_list(
  '{1EFB6596-857C-11D1-B16A-00C0F0283628}',# MSComCtl.ocx (TabStrip)
  '{24B224E0-9545-4A2F-ABD5-86AA8A849385}',# MSComCtl.ocx (TabStrip2)
  '{9ED94440-E5E8-101B-B9B5-444553540000}' # Comctl32.ocx (TabStrip)
);

activex_report = NULL;
comctl132_vuln = FALSE;
mscomctl_vuln = FALSE;
vuln = FALSE;

foreach clsid (clsids)
{
  # Make sure the control is installed
  file = activex_get_filename(clsid:clsid);
  if (isnull(file) || !file) continue;

  # Get its version
  version = activex_get_fileversion(clsid:clsid);
  if (!version) version = 'unknown';

  if (
       activex_get_killbit(clsid:clsid) == 0 &&
       (
         (version =~ "^6\.0\." &&
          ver_compare(ver:version, fix:'6.0.98.34') < 0) ||
         (version =~ "^6\.1\." &&
          ver_compare(ver:version, fix:'6.1.98.34') < 0)
       )
     )
  {
    vuln = TRUE;
    if (clsid == '{9ED94440-E5E8-101B-B9B5-444553540000}')
      comctl132_vuln = TRUE;
    else mscomctl_vuln = TRUE;

    if(!isnull(activex_report)) activex_report += '\n';
    activex_report +=
      '\n  Class identifier  : ' + clsid +
      '\n  Filename          : ' + file +
      '\n  Installed version : ' + version;
  }
}

activex_end();

analysis_svcs_installed = !isnull(get_kb_item('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft SQL Server 2000 Analysis Services/DisplayName'));
sql_ver_list = get_kb_list("mssql/installs/*/SQLVersion");
analysispath = NULL;
vfp8_installed = !isnull(get_kb_item('SMB/VFP8.0/path'));
vfp9_installed = !isnull(get_kb_item('SMB/VFP9.0/path'));

commerce_edition = get_kb_item('SMB/commerce_server/productname');
vb6_installed = FALSE;
office_version = hotfix_check_office_version();
owc2003_installed = FALSE;
his2004_installed = FALSE;

foreach name (get_kb_list('SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName'))
{
  if (name == 'Microsoft Office 2003 Web Components')
    owc2003_installed = TRUE;
  if (name == 'Microsoft Host Integration Server 2004')
    his2004_installed = TRUE;

  # break early if possible
  if(owc2003_installed == TRUE && his2004_installed == TRUE)
    break;
}

if (vuln || analysis_svcs_installed)
{
  registry_init();
  hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

  # If the ActiveX stuff looks unpatched, try to determine which KBs are missing
  if (vuln)
  {
    if (!isnull(get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\VisualStudio\6.0\Setup\Microsoft Visual Basic\ProductDir")))
      vb6_installed = TRUE;
  }

  # determine if 32 or 64-bit office is installed. this value is reportedly whenever office 2010 is installed, even if outlook is not installed
  if (office_version['14.0'])
    office_bitness = get_registry_value(handle:hklm, item:"Software\Microsoft\Office\14.0\Outlook\Bitness");

  # get the SQL Server 200 Analysis Services path if it looks like it's installed
  if (analysis_svcs_installed)
  {
    analysispath = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL Server 2000 Analysis Services\InstallLocation");

    if (analysispath)
      analysispath += "\bin";
  }

  RegCloseKey(handle:hklm);
  close_registry();
}

prod_info = NULL;

if (vuln)
{
  activex_report = 'The following vulnerable controls do not have the kill bit set :\n' + activex_report;
  prod_info = NULL;

  if ((office_version['11.0'] || owc2003_installed) && mscomctl_vuln)
  {
    # KB923618 is Office 2003 SP3. KB2726929 will fail to install unless it's present, though it
    # doesn't make it clear that the failure is due to a lack of SP3
    prod_info +=
      '\n' +
      '\n  Product        : Office 2003 / Office 2003 Web components' +
      '\n  Missing Update : KB2726929 (prerequisite: KB923618)';
    hotfix_add_report(bulletin:bulletin, kb:'2726929');
  }
  if (office_version['12.0'] && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Office 2007' +
      '\n  Missing Update : KB2687441';
    hotfix_add_report(bulletin:bulletin, kb:'2687441');
  }
  if (office_version['14.0'] && office_bitness != 'x64' && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Office 2010' +
      '\n  Missing Update : KB2597986';
    hotfix_add_report(bulletin:bulletin, kb:'2597986');
  }
  if (vfp8_installed)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Visual FoxPro 8.0' +
      '\n  Missing Update : KB2708940';
    hotfix_add_report(bulletin:bulletin, kb:'2708940');
  }
  if (vfp9_installed)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Visual FoxPro 9.0' +
      '\n  Missing Update : KB2708941';
    hotfix_add_report(bulletin:bulletin, kb:'2708941');
  }
  if (vb6_installed)
  {
    # KB290887 is VB 6.0 Runtime SP6
    prod_info +=
      '\n' +
      '\n  Product        : Visual Basic 6.0 Runtime' +
      '\n  Missing Update : KB2708437 (prerequisite: KB290887)';
    hotfix_add_report(bulletin:bulletin, kb:'2708437');
  }
  if (his2004_installed && comctl132_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Host Integration Server 2004' +
      '\n  Missing Update : KB2711207';
    hotfix_add_report(bulletin:bulletin, kb:'2711207');
  }

  if ('2009 R2' >< commerce_edition && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Commerce Server 2009 R2' +
      '\n  Missing Update : KB2716393';
    hotfix_add_report(bulletin:bulletin, kb:'2716393');
  }
  else if ('2009' >< commerce_edition && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Commerce Server 2009' +
      '\n  Missing Update : KB2716392';
    hotfix_add_report(bulletin:bulletin, kb:'2716392');
  }
  if ('2007' >< commerce_edition && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Commerce Server 2007' +
      '\n  Missing Update : KB2716390';
    hotfix_add_report(bulletin:bulletin, kb:'2716390');
  }
  if ('2002' >< commerce_edition && mscomctl_vuln)
  {
    prod_info +=
      '\n' +
      '\n  Product        : Commerce Server 2002' +
      '\n  Missing Update : KB2716389';
    hotfix_add_report(bulletin:bulletin, kb:'2716389');
  }
}

# the only other things to check are sql server 2000 and sql server 2000 analysis services.
# if neither are installed and the activex stuff is not vulnerable, there's no need to do any further testing
if (!vuln && isnull(analysispath) && isnull(sql_ver_list))
  exit(0, 'The host is not affected.');

if (!is_accessible_share())
  audit(AUDIT_FN_FAIL, 'is_accessible_share()');

# SQL Server 2000 Analysis Services
if (
  analysispath &&
  hotfix_is_vulnerable(path:analysispath, file:"Msmdadin.dll", version:"8.0.0.2304", min_version:"8.0.0.0", bulletin:bulletin, kb:"983813")
)
{
  vuln = TRUE;

  if (!isnull(activex_report))
  {
    prod_info +=
      '\n' +
      '\n  Product        : SQL Server 2000 Analysis Services' +
      '\n  Missing Update : KB983813';
  }
}

foreach item (keys(sql_ver_list))
{
  item -= 'mssql/installs/';
  item -= '/SQLVersion';
  sqlpath = item;

  share = hotfix_path2share(path:sqlpath);
  if (!is_accessible_share(share:share)) continue;

  # GDR
  if (hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2066.0", min_version:"2000.80.2000.0", bulletin:bulletin, kb:"983812"))
  {
    vuln = TRUE;

    if (!isnull(activex_report))
    {
      prod_info +=
        '\n' +
        '\n  Product        : SQL Server 2000' +
        '\n  Missing Update : KB983812';
    }
  }
   # QFE
  else if(hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2000.80.2305.0", min_version:"2000.80.2100.0", bulletin:bulletin, kb:"983811"))
  {
    vuln = TRUE;

    if (!isnull(activex_report))
    {
      prod_info +=
        '\n' +
        '\n  Product        : SQL Server 2000' +
        '\n  Missing Update : KB983811';
    }
  }
}

if (vuln)
{
  if (isnull(prod_info)) exit(0, "None of the Microsoft KBs applies even though at least one of the controls is in use, possibly from a third-party application.");

  if (!isnull(activex_report))
  {
    activex_report +=
      '\n\nNessus determined these controls are being used by the following applications :' +
      prod_info;

    if (hotfix_get_report())
      hotfix_add_report('\n' + activex_report, bulletin:bulletin);
    else
      hotfix_add_report(activex_report, bulletin:bulletin);
  }

  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-06-09T04:00:13.929-04:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameChandan S
    organizationSecPod Technologies
  • namePradeep R B
    organizationSecPod Technologies
  • namePradeep R B
    organizationSecPod Technologies
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Office 2003 SP3 is installed
    ovaloval:org.mitre.oval:def:15626
  • commentMicrosoft Office 2003 Web Components SP3 is installed
    ovaloval:org.mitre.oval:def:15325
  • commentMicrosoft Office 2010 SP1 is installed
    ovaloval:org.mitre.oval:def:15198
  • commentMicrosoft Office 2007 SP2 is installed
    ovaloval:org.mitre.oval:def:15607
  • commentMicrosoft Office 2007 SP3 is installed
    ovaloval:org.mitre.oval:def:15704
  • commentMicrosoft SQL Server 2008 SP3 is installed
    ovaloval:org.mitre.oval:def:15497
  • commentMicrosoft SQL Server 2008 R2 SP1 is installed
    ovaloval:org.mitre.oval:def:15808
  • commentMicrosoft SQL Server 2008 R2 is installed
    ovaloval:org.mitre.oval:def:12596
  • commentMicrosoft SQL Server 2008 SP2 is installed
    ovaloval:org.mitre.oval:def:12310
  • commentMicrosoft SQL Server 2008 R2 SP2 is installed
    ovaloval:org.mitre.oval:def:15803
  • commentMicrosoft SQL Server 2005 SP4 is installed
    ovaloval:org.mitre.oval:def:12442
  • commentMicrosoft Commerce Server 2002 SP4 is installed
    ovaloval:org.mitre.oval:def:15722
  • commentMicrosoft Commerce Server 2007 SP2 is installed
    ovaloval:org.mitre.oval:def:15552
  • commentMicrosoft Commerce Server 2009 is installed
    ovaloval:org.mitre.oval:def:15443
  • commentMicrosoft Commerce Server 2009 R2 is installed
    ovaloval:org.mitre.oval:def:15274
  • commentMicrosoft Visual FoxPro is installed
    ovaloval:org.mitre.oval:def:14198
  • commentMicrosoft Visual FoxPro is installed
    ovaloval:org.mitre.oval:def:14198
  • commentMicrosoft Host Integration Server 2004 SP1 is installed
    ovaloval:org.mitre.oval:def:5430
  • commentMicrosoft Visual Basic 6.0 is installed
    ovaloval:org.mitre.oval:def:15369
  • commentMicrosoft SQL Server 2000 Analysis Services SP4 is installed
    ovaloval:org.mitre.oval:def:15730
  • commentMicrosoft SQL Server 2000 SP4 is installed
    ovaloval:org.mitre.oval:def:15762
descriptionThe TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."
familywindows
idoval:org.mitre.oval:def:15447
statusaccepted
submitted2012-08-21T11:30:57
titleMSCOMCTL.OCX RCE Vulnerability - MS12-060
version91

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:54948 CVE ID:CVE-2012-1856 Microsoft Windows是一款流行的操作系统。 Microsoft Windows多个产品使用的MSCOMCTL.OCX中的通用控件TabStrip ActiveX控件存在漏洞,允许攻击者构建特制的文档或WEB页面,诱使用户解析,可破坏内存,可以应用程序上下文执行任意代码。目前此漏洞已经在网络上积极利用。 0 Microsoft Commerce Server 2002 Microsoft Commerce Server 2007 Microsoft Commerce Server 2009 Microsoft Host Integration Server 2004 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2003 Web Components Microsoft Office 2007 Microsoft Office 2010 Microsoft SQL Server 2000 Microsoft SQL Server 2000 Analysis Services Microsoft SQL Server 2005 Microsoft SQL Server 2005 Compact Edition 3.x Microsoft SQL Server 2005 Express Edition Microsoft SQL Server 2008 Microsoft Visual Basic 6.x Microsoft Visual FoxPro 8.x Microsoft Visual FoxPro 9.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://technet.microsoft.com/en-us/security/bulletin/ms12-060
idSSV:60330
last seen2017-11-19
modified2012-08-18
published2012-08-18
reporterRoot
titleMicrosoft Windows通用控件ActiveX控件远程代码执行漏洞

The Hacker News

idTHN:59AA6ADFEEB67D7E156CDF3579330697
last seen2017-01-08
modified2013-09-27
published2013-09-27
reporterMohit Kumar
sourcehttp://thehackernews.com/2013/09/chinese-apt-espionage-campaign-dubbed.html
titleChinese APT Espionage campaign, dubbed 'Icefog' targeted Military contractors and Governments