CVE-2012-0183 : Detail

CVE-2012-0183

96.27%V3
Network
2012-05-08
22h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for Mac, and Office Compatibility Pack SP2 and SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, aka "RTF Mismatch Vulnerability."

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 18894

Publication date : 2012-05-17 22h00 +00:00
Author : Cr4sh
EDB Verified : Yes

=========== Description =========== Windows XP keyboard layouts pool corruption 0day PoC, post-MS12-034. Vulnerability exists in the function win32k!ReadLayoutFile(), that parses keyboard layout files data. Possible attack vector -- local privileges escalation. Similar vuln (CVE-2012-0183) was patched recently, but I wonder, that Microsoft missed to rewrite vulnerable code on Windows XP, and this PoC still able to crash fully-patched XP SP3. However, pool corruption is not fully-controllable, and reliable code execution exploit development is quite a difficult task. -------------------------------- By Oleksiuk Dmytro (aka Cr4sh) http://twitter.com/d_olex http://blog.cr4.sh mailto:[email protected] -------------------------------- Typical bugcheck: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: e10650d3, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: bf881fb6, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000001, (reserved) Debugging Details: ------------------ READ_ADDRESS: e10650d3 Paged pool FAULTING_IP: win32k!ReadLayoutFile+183 bf881fb6 803800 cmp byte ptr [eax],0 MM_INTERNAL_CODE: 1 IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4f85831a MODULE_NAME: win32k FAULTING_MODULE: bf800000 win32k DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: win32k_Keyboard TRAP_FRAME: b191c884 -- (.trap 0xffffffffb191c884) ErrCode = 00000000 eax=e10650d3 ebx=e105b008 ecx=e105b008 edx=00000000 esi=e106ac08 edi=e105c008 eip=bf881fb6 esp=b191c8f8 ebp=b191c90c iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 win32k!ReadLayoutFile+0x183: bf881fb6 803800 cmp byte ptr [eax],0 ds:0023:e10650d3=?? Resetting default scope LAST_CONTROL_TRANSFER: from 804f7b8b to 80527c24 STACK_TEXT: b191c3c0 804f7b8b 00000003 e10650d3 00000000 nt!RtlpBreakWithStatusInstruction b191c40c 804f8778 00000003 00000000 c0708328 nt!KiBugCheckDebugBreak+0x19 b191c7ec 804f8ca3 00000050 e10650d3 00000000 nt!KeBugCheck2+0x574 b191c80c 8051cc4f 00000050 e10650d3 00000000 nt!KeBugCheckEx+0x1b b191c86c 805405f4 00000000 e10650d3 00000000 nt!MmAccessFault+0x8e7 b191c86c bf881fb6 00000000 e10650d3 00000000 nt!KiTrap0E+0xcc b191c90c bf881e25 e208f8e8 e10611c8 e105c008 win32k!ReadLayoutFile+0x183 b191c92c bf8b9574 800003a4 00000000 00000000 win32k!LoadKeyboardLayoutFile+0x6a b191c9b4 bf92a002 82273e08 800003a4 04090409 win32k!xxxLoadKeyboardLayoutEx+0x1b1 b191c9f0 bf8b91b5 82273e08 0000003c 04090409 win32k!xxxSafeLoadKeyboardLayoutEx+0xa9 b191cd40 8053d6f8 0000003c 00000000 0012fec8 win32k!NtUserLoadKeyboardLayoutEx+0x164 b191cd40 004011c4 0000003c 00000000 0012fec8 nt!KiFastCallEntry+0xf8 0012ff7c 004015de 00000001 00363c48 00362e80 win32k_KeyboardLayout_expl!NtUserLoadKeyboardLayoutEx+0x14 [x:\dev\_exploits\_local\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl.cpp @ 37] 0012ffc0 7c817077 00330036 00360038 7ffdd000 win32k_KeyboardLayout_expl!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586] 0012fff0 00000000 00401726 00000000 78746341 kernel32!BaseProcessStart+0x23 STACK_COMMAND: kb FOLLOWUP_IP: win32k!ReadLayoutFile+183 bf881fb6 803800 cmp byte ptr [eax],0 SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: win32k!ReadLayoutFile+183 FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0x50_win32k!ReadLayoutFile+183 BUCKET_ID: 0x50_win32k!ReadLayoutFile+183 Followup: MachineOwner --------- === POC === https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18894.zip

Products Mentioned

Configuraton 0

Microsoft>>Office >> Version 2008

Microsoft>>Office_compatibility_pack >> Version *

Microsoft>>Office_compatibility_pack >> Version *

Microsoft>>Word >> Version 2003

Microsoft>>Word >> Version 2007

Microsoft>>Word >> Version 2007

References

http://www.securityfocus.com/bid/53344
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id?1027035
Tags : vdb-entry, x_refsource_SECTRACK
http://www.us-cert.gov/cas/techalerts/TA12-129A.html
Tags : third-party-advisory, x_refsource_CERT
http://secunia.com/advisories/49111
Tags : third-party-advisory, x_refsource_SECUNIA