Vulnerabilities > CVE-2012-2523 - Numeric Errors vulnerability in Microsoft Internet Explorer, Jscript and Vbscript
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in Microsoft Internet Explorer 8 and 9, JScript 5.8, and VBScript 5.8 on 64-bit platforms allows remote attackers to execute arbitrary code by leveraging an incorrect size calculation during object copying, aka "JavaScript Integer Overflow Remote Code Execution Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Msbulletin
bulletin_id MS12-052 bulletin_url date 2012-08-14T00:00:00 impact Remote Code Execution knowledgebase_id 2722913 knowledgebase_url severity Critical title Cumulative Security Update for Internet Explorer bulletin_id MS12-056 bulletin_url date 2012-08-14T00:00:00 impact Remote Code Execution knowledgebase_id 2706045 knowledgebase_url severity Important title Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS12-052.NASL description The remote host is missing Internet Explorer (IE) Security Update 2722913. The installed version of IE is affected by vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 61527 published 2012-08-15 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61527 title MS12-052: Cumulative Security Update for Internet Explorer (2722913) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61527); script_version("1.13"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2012-1526", "CVE-2012-2521", "CVE-2012-2522", "CVE-2012-2523"); script_bugtraq_id(54945, 54950, 54951, 54952); script_xref(name:"MSFT", value:"MS12-052"); script_xref(name:"IAVA", value:"2012-A-0130"); script_xref(name:"MSKB", value:"2722913"); script_name(english:"MS12-052: Cumulative Security Update for Internet Explorer (2722913)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute( attribute:"synopsis", value:"The remote host is affected by code execution vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2722913. The installed version of IE is affected by vulnerabilities that could allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-052"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS12-052'; kb = '2722913'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / 2008 R2 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"9.0.8112.20554", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"9.0.8112.16448", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22032", min_version:"8.0.7601.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.17874", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.21245", min_version:"8.0.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.17051", min_version:"8.0.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20554", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16448", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23385", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19298", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.22885", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18658", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23385", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.19298", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21314", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.17112", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5029", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23385", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.19298", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21314", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.17112", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6266", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS12-056.NASL description The installed versions of the JScript and VBScript scripting engines contain an integer overflow vulnerability that can occur when the scripting engines process a script in a web page and attempt to calculate the size of an object in memory during a copy operation. By tricking a user on the affected system into visiting a malicious web site, an attacker may be able to exploit this issue to execute arbitrary code subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 61531 published 2012-08-15 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61531 title MS12-056: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2706045) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61531); script_version("1.13"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2012-2523"); script_bugtraq_id(54945); script_xref(name:"MSFT", value:"MS12-056"); script_xref(name:"IAVA", value:"2012-A-0130"); script_xref(name:"MSKB", value:"2706045"); script_name(english:"MS12-056: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2706045)"); script_summary(english:"Checks versions of Jscript.dll / Vbscript.dll"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the installed JScript and VBScript scripting engines." ); script_set_attribute( attribute:"description", value: "The installed versions of the JScript and VBScript scripting engines contain an integer overflow vulnerability that can occur when the scripting engines process a script in a web page and attempt to calculate the size of an object in memory during a copy operation. By tricking a user on the affected system into visiting a malicious web site, an attacker may be able to exploit this issue to execute arbitrary code subject to the user's privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-056"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for 64-bit editions of Windows XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_nt_ms12-052.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS12-056'; kb = "2706045"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); # Only x64 is affected arch = get_kb_item_or_exit('SMB/ARCH', exit_code:1); if (arch != 'x64') exit(0, "The host is not affected since it is not running a 64-bit version of Windows."); ie_ver = get_kb_item_or_exit("SMB/IE/Version"); if ( (ie_ver =~ "^8\.") && ( # Windows 7 x64 and Windows Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, arch:"x64", file:"Jscript.dll", version:"5.8.7601.22024", min_version:"5.8.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, arch:"x64", file:"Vbscript.dll", version:"5.8.7601.22024", min_version:"5.8.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, arch:"x64", file:"Jscript.dll", version:"5.8.7601.17866", min_version:"5.8.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, arch:"x64", file:"Vbscript.dll", version:"5.8.7601.17866", min_version:"5.8.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, arch:"x64", file:"Jscript.dll", version:"5.8.7600.21238", min_version:"5.8.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, arch:"x64", file:"Vbscript.dll", version:"5.8.7600.21238", min_version:"5.8.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, arch:"x64", file:"Jscript.dll", version:"5.8.7600.17045", min_version:"5.8.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, arch:"x64", file:"Vbscript.dll", version:"5.8.7600.17045", min_version:"5.8.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista x64 / Windows 2008 x64 hotfix_is_vulnerable(os:"6.0", sp:2, arch:"x64", file:"Jscript.dll", version:"5.8.6001.23380", min_version:"5.8.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, arch:"x64", file:"Vbscript.dll", version:"5.8.6001.23380", min_version:"5.8.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, arch:"x64", file:"Jscript.dll", version:"5.8.6001.19293", min_version:"5.8.6001.18000", dir:"\System32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, arch:"x64", file:"Vbscript.dll", version:"5.8.6001.19293", min_version:"5.8.6001.18000", dir:"\System32", bulletin:bulletin, kb:kb) || # Windows 2003 x64 / XP x64 hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x64", file:"Vbscript.dll", version:"5.8.6001.23380", min_version:"5.8.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x64", file:"Jscript.dll", version:"5.8.6001.23380", min_version:"5.8.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) ) vuln = TRUE; ####################### # KB2722913 # ####################### if (ie_ver =~ "^9\.") { if (!isnull(get_kb_item("SMB/Missing/MS12-052"))) { report = '\nThis bulletin corrects the vulnerability in Internet' + '\nExplorer 8, however Internet Explorer 9 is installed and' + '\nits fix, KB2722913, is missing. To obtain protection from' + '\nthe vulnerability noted in CVE-2012-2523, you must install' + '\nKB2722913 which is described in MS12-052.'; hotfix_add_report(report, bulletin:bulletin, kb:"2722913"); vuln = TRUE; } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted | 2014-08-18T04:01:25.057-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
description | Integer overflow in Microsoft Internet Explorer 8 and 9, JScript 5.8, and VBScript 5.8 on 64-bit platforms allows remote attackers to execute arbitrary code by leveraging an incorrect size calculation during object copying, aka "JavaScript Integer Overflow Remote Code Execution Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:15790 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
submitted | 2012-08-20T12:14:57 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
title | JavaScript Integer Overflow Remote Code Execution Vulnerability - MS12-052 and MS12-056 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
version | 74 |
Seebug
bulletinFamily | exploit |
description | Bugtraq ID:54945 CVE ID:CVE-2012-2523 Microsoft Internet Explorer是一款流行的WEB浏览器。 在64位平台上的Microsoft Internet Explorer和JScript 5.8在对象拷贝过程中由于不正确的大小计算,可被攻击者利用触发整数溢出,攻击者构建恶意WEB页,诱使用户解析,可以应用程序上下文执行任意代码。 0 Microsoft Internet Explorer 8 Microsoft Internet Explorer 9 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://technet.microsoft.com/en-us/security/bulletin/MS12-052 |
id | SSV:60326 |
last seen | 2017-11-19 |
modified | 2012-08-18 |
published | 2012-08-18 |
reporter | Root |
title | Microsoft Internet Explorer JavaScript整数溢出代码执行漏洞 |
References
- http://www.us-cert.gov/cas/techalerts/TA12-227A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-052
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-056
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15790