cbcvebase.
CVE-2012-0013
published 2012-01-10

CVE-2012-0013: Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
73.75%
99.4th percentile
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.docm
filename18372.docm
  • Look for Office macro-enabled documents (.docm) delivered to users that, upon macro execution, spawn a Python or Ruby interpreter process — indicative of the first-stage ClickOnce payload download-and-execute chain.
  • Inspect IsProgIDInList checks in packager.dll: the vulnerability is triggered when a file extension passes the 0x11 (17-entry) extension blacklist check, allowing execution via SHGetFileInfoW — hunt for .application extensions bypassing this list.
  • The exploit prepends 6 null bytes to the first-stage payload; network or memory signatures should account for a leading \x00\x00\x00\x00\x00\x00 sequence before the Python/Ruby download-exec stager.
  • Alert on Office processes (WINWORD.EXE) launching python.exe or ruby interpreter processes as direct children, which is the execution chain produced by this exploit after macro enablement.
  • ·The Metasploit module's PAYLOAD_TYPE option must be set to either PYTHON or RUBY; the victim machine must have the corresponding interpreter installed for the first-stage stager to execute — detections relying solely on interpreter child-process spawning may miss cases where the interpreter is absent.
  • ·The module targets Microsoft Office Word 2007/2010 on Windows 7 specifically; the broader CVE also affects XP SP2/SP3, Server 2003 SP2, Vista SP2, and Server 2008 variants, so detection scope should not be limited to Windows 7 alone.
  • ·DisablePayloadHandler is set to false by default in the Metasploit module, meaning a Metasploit listener is expected; custom or manual exploit variants may use a different C2 mechanism not covered by Metasploit-specific network signatures.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.