Vulnerabilities > CVE-2012-2553 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
CWE-399
nessus
NVD
Published: 2012-11-14
Updated: 2018-10-30

Summary

Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application, aka "Win32k Use After Free Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
6

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS12-075
bulletin_url
date2012-11-13T00:00:00
impactRemote Code Execution
knowledgebase_id2761226
knowledgebase_url
severityCritical
titleVulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS12-075.NASL
descriptionThe remote Windows host is affected by the following remote code execution vulnerabilities: - Two use-after-free vulnerabilities exist within Windows kernel-mode drivers. (CVE-2012-2530, CVE-2012-2553) - A TrueType Font Parsing vulnerability exists due to the way TrueType font files are handled. (CVE-2012-2897)
last seen2020-06-01
modified2020-06-02
plugin id62907
published2012-11-14
reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/62907
titleMS12-075: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62907);
  script_version("1.17");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id("CVE-2012-2530", "CVE-2012-2553", "CVE-2012-2897");
  script_bugtraq_id(56447, 56448, 56457);
  script_xref(name:"MSFT", value:"MS12-075");
  script_xref(name:"MSKB", value:"2761226");

  script_name(english:"MS12-075: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)");
  script_summary(english:"Checks version of win32k.sys");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by remote code execution
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by the following remote code
execution vulnerabilities:

  - Two use-after-free vulnerabilities exist within Windows
    kernel-mode drivers. (CVE-2012-2530, CVE-2012-2553)

  - A TrueType Font Parsing vulnerability exists due to the
    way TrueType font files are handled. (CVE-2012-2897)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-075");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, 2008 R2, 8, and 2012.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2897");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS12-075';
kb = '2761226';

kbs = make_list(kb);
if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8 / 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.16439", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.20541", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.17147", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.21347", min_version:"6.1.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.17977", min_version:"6.1.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22137", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Vista / 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18709", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.22949", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 / XP 64-bit
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5079", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Win32k.sys", version:"5.1.2600.6307", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2013-05-06T04:01:41.418-04:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameSharath S
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12292
descriptionUse-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application, aka "Win32k Use After Free Vulnerability."
familywindows
idoval:org.mitre.oval:def:15817
statusaccepted
submitted2012-11-16T11:27:12
titleWin32k Use After Free Vulnerability - MS12-075
version74

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 56448 CVE ID: CVE-2012-2553 Microsoft Windows是微软发布的非常流行的操作系统。 Microsoft Windows XP SP3、Windows Server 2003 SP2、Windows Vista SP2、Windows Server 2008 SP2、Windows 7 Gold/SP1内核模式驱动程序内的win32k.sys存在释放后重新漏洞,通过特制的应用,可允许本地用户获取权限。 0 Microsoft Windows 8 Microsoft Windows 7 Microsoft Windows XP Professional Microsoft Windows XP Home Edition Microsoft Windows Vista Microsoft Windows Storage Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Editi Microsoft Windows Server 2003 Datacenter Editi 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-075)以及相应补丁: MS12-075:Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226) 链接:http://www.microsoft.com/technet/security/bulletin/MS12-075.asp
idSSV:60464
last seen2017-11-19
modified2012-11-19
published2012-11-19
reporterRoot
titleMicrosoft Windows Kernel 'Win32k.sys' 本地权限提升漏洞(CVE-2012-2553) (MS12-075)

References