CVE-2012-0003
published 2012-01-10CVE-2012-0003: Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista…
PriorityP181high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.50%
99.3th percentile
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_xp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/baby.mid
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; file.data; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; fast_pattern; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, cve CVE_2012_0003, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, cve CVE_2012_0003, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
bytes
%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c
- →Exploit page contains JavaScript heap-spray strings 'bang()' and 'cloned' alongside the heap-spray unescape pattern %u0c0c%u0c0c — all three appearing together in HTTP response body is a strong indicator of CVE-2012-0003 exploitation.
- →Outbound HTTP request for the URI path /baby.mid is associated with in-the-wild exploitation of MS12-004 (CVE-2012-0003).
- →The exploit delivers a specially crafted MIDI file via the Windows Media Player ActiveX control; heap allocation size is 0x400 bytes (WINMM!winmmAlloc), and the overflow allows a single-byte inc/dec primitive. ↗
- →For IE 8 on XP SP3, the exploit uses a stack pivot ROP gadget at address 0x76C9B4C2 (IMAGEHLP) and targets dispatch destination 0x0c0c1be4; for IE 6/7 on XP SP3 the dispatch destination is 0x0c0c0c0c. ↗
- →The exploit ROP chain is built entirely from msvcr71.dll gadgets; presence of ROP chains referencing msvcr71.dll addresses (e.g. 0x7c347f98, 0x7c376402) in memory or shellcode is indicative. ↗
- →The vulnerability does not trigger when the victim machine is operated via rdesktop — useful for sandboxing/detonation environment design. ↗
- ·The Metasploit module's IE 8 target supports only two specific MSHTML builds; other patch levels may not be exploitable with this module. ↗
- ·The ET rule for /baby.mid (sid:2014207) carries a 'confidence Low' metadata tag, meaning it may produce false positives on legitimate MIDI file requests.
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6mjj-vx26-x966: Unspecified vulnerability in winmm
ghsa_unreviewed·2022-05-04
CVE-2012-0003 [HIGH] GHSA-6mjj-vx26-x966: Unspecified vulnerability in winmm
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
VulnCheck
Windows Media Player (WMP) MIDI Remote Code Execution Vulnerability
vulncheck·2012·CVSS 8.1
CVE-2012-0003 [HIGH] Windows Media Player (WMP) MIDI Remote Code Execution Vulnerability
Windows Media Player (WMP) MIDI Remote Code Execution Vulnerability
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20120131035712/http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/
Red Hat
condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
vendor_redhat·2012-10-22·CVSS 10.0
CVE-2012-5390 [CRITICAL] condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
The standard universe shadow (condor_shadow.std) component in Condor 7.7.3 through 7.7.6, 7.8.0 before 7.8.5, and 7.9.0 does no properly check privileges, which allows remote attackers to gain privileges via a crafted standard universe job.
Statement: Not vulnerable. This issue did not affect the versions of condor as shipped with Red Hat Enterprise MRG 1 or 2 as they do not provide a vulnerable version of condor.
Package: condor (Red Hat Enterprise MRG 2) - Not affected
Suricata
ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid
suricata·2012-02-07
CVE-2012-0003 ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid
ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, cve CVE_2012_0003, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
Suricata
ET WEB_CLIENT Microsoft Windows Media component specific exploit
suricata·2012-01-28
CVE-2012-0003 ET WEB_CLIENT Microsoft Windows Media component specific exploit
ET WEB_CLIENT Microsoft Windows Media component specific exploit
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; file.data; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; fast_pattern; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, cve CVE_2012_0003, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
Exploit-DB
Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)
exploitdb·2012-01-28
CVE-2012-0003 Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)
Microsoft Windows - midiOutPlayNextPolyEvent Heap Overflow (MS12-004) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS12-004 midiOutPlayNextPolyEvent Heap Overflow",
'Description' => %q{
This module exploits a heap overflow vulnerability in the Windows Multimedia
Library (winmm.dll). The vulnerability occurs when parsing specially crafted
MIDI files. Remote code execution can be achieved by using Windows Media Player's
ActiveX control.
Exploitation is done by supplying a specially crafted MIDI file with
specific events, caus
Metasploit
MS12-004 midiOutPlayNextPolyEvent Heap Overflow
metasploit
MS12-004 midiOutPlayNextPolyEvent Heap Overflow
MS12-004 midiOutPlayNextPolyEvent Heap Overflow
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvc
Talos
MIDI Karaoke Background or Malware Vector?
blogs_talos·2012-03-20·CVSS 8.1
[HIGH] MIDI Karaoke Background or Malware Vector?
MD5's of samples found in the wild up to now:
- 6249ac0674574c7df2f81801a41b85a5
- 9d63609e49e18f87973e66bdbc4236b4
- d3410dd27ba25c780abcd5c4df573303
- 1a4c84227cbf6da8724699b9b6fbb71b
- bbc2d8cb3f8ed9a3a5292408d476af14
- c91703bc8d5509003c1d0a634dcbbd06
- 2b988374bb9c0ac7d04a2999959fa978
- 17145972a2116660580f879ac690315f
- df5e0faae726386b7d2ee0fce0bfcbde
- dd47870ac7970ca8b00080d2626f7e2a
- 72d39c6837503e36b2ccec381e191b78
- f82fdcd9f1bc2caf0ffa3928648d356d
- ef8e3898330c9c4af29402776544038c
References:
-http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
-http://blog.chackraview.net/2012/01/29/understanding-cve-2012-0003-rce-in-microsoft-windows-media-player/
-http://labs.m86security.com/tag/cve-2012-0003/
-http://hummingbir
Talos
MIDI Karaoke Background or Malware Vector?
blogs_talos·2012-03-20·CVSS 8.1
[HIGH] MIDI Karaoke Background or Malware Vector?
## MIDI Karaoke Background or Malware Vector?
MD5's of samples found in the wild up to now:
- 6249ac0674574c7df2f81801a41b85a5
- 9d63609e49e18f87973e66bdbc4236b4
- d3410dd27ba25c780abcd5c4df573303
- 1a4c84227cbf6da8724699b9b6fbb71b
- bbc2d8cb3f8ed9a3a5292408d476af14
- c91703bc8d5509003c1d0a634dcbbd06
- 2b988374bb9c0ac7d04a2999959fa978
- 17145972a2116660580f879ac690315f
- df5e0faae726386b7d2ee0fce0bfcbde
- dd47870ac7970ca8b00080d2626f7e2a
- 72d39c6837503e36b2ccec381e191b78
- f82fdcd9f1bc2caf0ffa3928648d356d
- ef8e3898330c9c4af29402776544038c
References:
- http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
- http://blog.chackraview.net/2012/01/29/understanding-cve-2012-0003-rce-in-microsoft-windows-media-player/
- http://labs.m86s
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 13
blogs_zscaler·CVSS 8.1
[HIGH] Zscaler Protects against Microsoft's Patch Cycle | Round 13
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2012-5390 condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
bugzilla·2013-01-11·CVSS 10.0
CVE-2012-5390 [CRITICAL] CVE-2012-5390 condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
CVE-2012-5390 condor: privilege escalation via jobs submitted to the standard universe (CONDOR-2012-0003)
As per the upstream advisory:
Condor installations that support Standard Universe jobs and run the daemons on the submit machine as root are vulnerable to local privilege escalation. If a user submits a job into the standard universe, the user job may then execute code on the submit machine as the root user. If your Condor installation does not contain the condor_shadow.std executable, then you are not affected by this vulnerability
The problem exists in the 7.8.X series only. The 7.6.X series is not affected. Also, Condor must be started as root otherwise it is not affected.
Current Fedora versions have the fixed version so are not affected. Red Hat Enterprise MRG provides 7.6.x a
http://secunia.com/advisories/47485http://www.securityfocus.com/bid/51292http://www.securitytracker.com/id?1026492http://www.us-cert.gov/cas/techalerts/TA12-010A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-004https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14337http://secunia.com/advisories/47485http://www.securityfocus.com/bid/51292http://www.securitytracker.com/id?1026492http://www.us-cert.gov/cas/techalerts/TA12-010A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-004https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14337
2012-01-10
Published
Exploited in the wild