hrbrmstr's assessment of CVE-2012-0158

Description

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or © .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

Add Assessment

hrbrmstr (72)

May 12, 2020 7:46pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Vulnerable in default configuration

Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
Associated Malware: Dridex
Mitigation: Update affected Microsoft products with the latest security patches
IOCs: https://www.us-cert.gov/ncas/analysis-reports/ar20-133i, https://www.us-cert.gov/ncas/analysis-reports/ar20-133j, https://www.us-cert.gov/ncas/analysis-reports/ar20-133k, https://www.us-cert.gov/ncas/analysis-reports/ar20-133l, https://www.us-cert.gov/ncas/analysis-reports/ar20-133n, https://www.us-cert.gov/ncas/analysis-reports/ar20-133o

dmelcher5151 (19)

April 15, 2020 4:17pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Easy to weaponize Gives privileged access Requires user interaction

Technical Analysis

Was obvious the week it hit that it would replace 2010-3333, and it did. Bread and butter for many phishing campaigns for years.

See More &2 repliesSee Less

kevthehermit (138) April 15, 2020 6:47pm UTC (4 years ago)

In your analysis you stated that this is common in enterprise. Is this still the case, whilst i can accept that there will be some organisations that are running legacy I feel that this will not longer be common, and therefore its attacker value is decreased?

Or do we think that it is still a very large threat surface for enterprise?

dmelcher5151 (19) April 15, 2020 7:02pm UTC (4 years ago)•Edited 4 years ago

good question. my assumption is this rating system is based on a scenario where the target is vulnerable/not mitigated and contemporaneous to first observation/exploitation for factors like enterprise exposure.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

microsoft

Products

biztalk server 2002,
commerce server 2002,
commerce server 2007,
commerce server 2009 -,
commerce server 2009 r2,
office 2003,
office 2007,
office 2010,
office web components 2003,
sql server 2000 -,
sql server 2005 -,
sql server 2008 -,
sql server 2008 r2,
visual basic 6.0,
visual foxpro 8.0,
visual foxpro 9.0

Metasploit Modules

MS12-027 MSCOMCTL ActiveX Buffer Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb)

Exploited in the Wild

Reported by:

AttackerKB Worker

Reported: September 25, 2020 8:38pm UTC (3 years ago)

gwillcox-r7 indicated source as Government or Industry Alert (https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf)

Reported: November 03, 2021 3:20pm UTC (2 years ago)

References

Rapid7

Very High

CVE-2012-0158

Very High

Very High

Required

None

Network

CVE-2012-0158

Description

Add Assessment

Ratings

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2012-0158

Very High

Very High

Required

None

Network

CVE-2012-0158

Description

Add Assessment

Ratings

Technical Analysis

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification