Vulnerabilities > CVE-2012-4969 - Unspecified vulnerability in Microsoft Internet Explorer
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.
Vulnerable Configurations
Exploit-Db
| description | MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability. CVE-2012-4969. Remote exploit for windows platform |
| id | EDB-ID:21840 |
| last seen | 2016-02-02 |
| modified | 2012-10-10 |
| published | 2012-10-10 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/21840/ |
| title | Microsoft Internet Explorer - execCommand Use-After-Free Vulnerability MS12-063 |
Metasploit
| description | This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012. Also note that presently, this module has some target dependencies for the ROP chain to be valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which is often the case). |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/IE_EXECCOMMAND_UAF |
| last seen | 2020-05-11 |
| modified | 2017-10-05 |
| published | 2012-09-17 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_execcommand_uaf.rb |
| title | MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability |
Msbulletin
| bulletin_id | MS12-063 |
| bulletin_url | |
| date | 2012-09-21T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2744842 |
| knowledgebase_url | |
| severity | Critical |
| title | Cumulative Security Update for Internet Explorer |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS12-063.NASL description The remote host is missing Internet Explorer (IE) Security Update 2744842. The installed version of IE is affected by vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 62223 published 2012-09-21 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62223 title MS12-063: Cumulative Security Update for Internet Explorer (2744842) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62223); script_version("1.16"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2012-1529", "CVE-2012-2546", "CVE-2012-2548", "CVE-2012-2557", "CVE-2012-4969" ); script_bugtraq_id(55562, 55641, 55645, 55646, 55647); script_xref(name:"CERT", value:"480095"); script_xref(name:"MSFT", value:"MS12-063"); script_xref(name:"MSKB", value:"2744842"); script_name(english:"MS12-063: Cumulative Security Update for Internet Explorer (2744842)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute( attribute:"synopsis", value:"The remote host is affected by code execution vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2744842. The installed version of IE is affected by vulnerabilities that could allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-063"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2012/2757760"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-200/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-199/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-198/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-007/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524504/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/524505/30/0/threaded"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, and 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability '); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS12-063'; kb = '2744842'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / 2008 R2 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"9.0.8112.20557", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", file:"Mshtml.dll", version:"9.0.8112.16450", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22099", min_version:"8.0.7601.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.17940", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.21313", min_version:"8.0.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.17115", min_version:"8.0.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20557", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16450", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23415", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19328", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.22920", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18686", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23415", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.19328", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21316", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.17114", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5060", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23415", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.19328", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21316", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.17114", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6287", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB2757760.NASL description The remote host is missing the workaround referenced in KB 2757760 (Microsoft 'Fix it' 50939). This workaround mitigates a use-after-free vulnerability in Internet Explorer. Without this workaround enabled, an attacker could exploit this vulnerability by tricking a user into view a maliciously crafted web page, resulting in arbitrary code execution. This vulnerability is being actively exploited in the wild. This plugin has been deprecated due to the publication of MS12-063. Microsoft has released patches that make the workarounds unnecessary. To check for the patches, use Nessus plugin ID 62223. last seen 2017-10-29 modified 2017-08-30 plugin id 62201 published 2012-09-19 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=62201 title MS KB2757760: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)
Oval
| accepted | 2014-08-18T04:01:23.133-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:15729 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2012-09-22T12:54:21 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | execCommand Use After Free Vulnerability - MS12-063 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 74 |
Saint
| bid | 55562 |
| description | Internet Explorer CMshtmlEd execCommand Use After Free |
| id | win_patch_ie_v8,win_patch_ie_v9 |
| osvdb | 85532 |
| title | ie_cmshtmled_exec_uaf |
| type | client |
The Hacker News
id THN:A27DF5E371A39A7B4C6BA19A7BD3D4BA last seen 2017-01-08 modified 2013-01-11 published 2013-01-06 reporter Mohit Kumar source http://thehackernews.com/2013/01/latest-internet-explorer-zero-day.html title Latest Internet Explorer zero-day linked to Elderwood Project id THN:5ACF233F4E37E6A4975B246F2082107C last seen 2017-01-08 modified 2013-01-11 published 2013-01-02 reporter Mohit Kumar source http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html title CFR watering hole attack also target Capstone Turbine Corporation id THN:7ACF921BA3C582C8760C348FD2475BC2 last seen 2017-01-08 modified 2013-10-16 published 2013-10-16 reporter Mohit Kumar source http://thehackernews.com/2013/10/aslr-bypass-techniques-are-popular-with.html title ASLR bypass techniques are popular with APT attacks
References
- http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/
- http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb
- http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
- http://technet.microsoft.com/security/advisory/2757760
- http://www.kb.cert.org/vuls/id/480095
- http://www.securitytracker.com/id?1027538
- http://www.securityweek.com/new-internet-explorer-zero-day-being-exploited-wild
- http://www.us-cert.gov/cas/techalerts/TA12-255A.html
- http://www.us-cert.gov/cas/techalerts/TA12-262A.html
- http://www.us-cert.gov/cas/techalerts/TA12-265A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15729
- http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15729
- http://www.us-cert.gov/cas/techalerts/TA12-265A.html
- http://www.us-cert.gov/cas/techalerts/TA12-262A.html
- http://www.us-cert.gov/cas/techalerts/TA12-255A.html
- http://www.securityweek.com/new-internet-explorer-zero-day-being-exploited-wild
- http://www.securitytracker.com/id?1027538
- http://www.kb.cert.org/vuls/id/480095
- http://technet.microsoft.com/security/advisory/2757760
- http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
- http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb