CVE-2012-0013
published 2012-01-10CVE-2012-0013: Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
73.75%
99.4th percentile
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for Office macro-enabled documents (.docm) delivered to users that, upon macro execution, spawn a Python or Ruby interpreter process — indicative of the first-stage ClickOnce payload download-and-execute chain. ↗
- →Inspect IsProgIDInList checks in packager.dll: the vulnerability is triggered when a file extension passes the 0x11 (17-entry) extension blacklist check, allowing execution via SHGetFileInfoW — hunt for .application extensions bypassing this list. ↗
- →The exploit prepends 6 null bytes to the first-stage payload; network or memory signatures should account for a leading \x00\x00\x00\x00\x00\x00 sequence before the Python/Ruby download-exec stager. ↗
- →Alert on Office processes (WINWORD.EXE) launching python.exe or ruby interpreter processes as direct children, which is the execution chain produced by this exploit after macro enablement. ↗
- ·The Metasploit module's PAYLOAD_TYPE option must be set to either PYTHON or RUBY; the victim machine must have the corresponding interpreter installed for the first-stage stager to execute — detections relying solely on interpreter child-process spawning may miss cases where the interpreter is absent. ↗
- ·The module targets Microsoft Office Word 2007/2010 on Windows 7 specifically; the broader CVE also affects XP SP2/SP3, Server 2003 SP2, Vista SP2, and Server 2008 variants, so detection scope should not be limited to Windows 7 alone. ↗
- ·DisablePayloadHandler is set to false by default in the Metasploit module, meaning a Metasploit listener is expected; custom or manual exploit variants may use a different C2 mechanism not covered by Metasploit-specific network signatures. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fcv4-86qf-2h62: Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista S
ghsa_unreviewed·2022-05-04
CVE-2012-0013 [HIGH] GHSA-fcv4-86qf-2h62: Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista S
Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."
Red Hat
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
vendor_redhat·2011-12-09·CVSS 5.9
CVE-2011-4600 [MEDIUM] libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
libvirt: unintended firewall port exposure after restarting libvirtd when defining a bridged forward-mode network
The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query.
Statement: This issue affect Red Hat Enterprise Linux 6 and has been addressed via
https://rhn.redhat.com/errata/RHBA-2012-0013.html. Red Hat Enterprise Linux 5 is
not affected. The Red Hat Security Response Team has rated this issue as having
low security impact. For additional information, refer to the Issue Severity
Classification: https://access.redhat.com/security/updates/classification/.
P
No detection rules found.
Exploit-DB
Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)
exploitdb·2012-06-11
CVE-2012-0013 Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)
Microsoft Office - ClickOnce Unsafe Object Package Handling (MS12-005) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Office's ClickOnce
feature. When handling a Macro document, the application fails to recognize
certain file extensions as dangerous executables, which can be used to bypass
the warning message. This allows you to trick your victim into
Exploit-DB
Microsoft Windows - Assembly Execution (MS12-005)
exploitdb·2012-01-14·CVSS 9.3
CVE-2012-0013 [CRITICAL] Microsoft Windows - Assembly Execution (MS12-005)
Microsoft Windows - Assembly Execution (MS12-005)
---
# Exploit Title: MS12-005 : Microsoft Windows Assembly Execution Vulnerability
# Date: 1/14/2012
# Author: Byoungyoung Lee, http://exploitshop.wordpress.com
# Version: Windows 7 32bit, fully patched until Jan 2012
# Tested on: Windows 7 32bit
# CVE : CVE-2012-0013
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18372.docm
Open the document file, then allow the macro execution. This will
execute python script (python interpreters are required).
DEMO : http://www.youtube.com/watch?v=Odi6HiqzmL8&feature=youtu.be&hd=1
Metasploit
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
metasploit
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
This module exploits a vulnerability found in Microsoft Office's ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This can allow attackers to trick victims into opening the malicious document, which will load up either a python or ruby payload, and finally, download and execute an executable.
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 13
blogs_zscaler·CVSS 8.1
[HIGH] Zscaler Protects against Microsoft's Patch Cycle | Round 13
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2012-1155 CVE-2012-1156 CVE-2012-1157 CVE-2012-1158 CVE-2012-1159 CVE-2012-1160 CVE-2012-1161 CVE-2012-1168 CVE-2012-1169 CVE-2012-1170 moodle: multiple security fixes in 2.2.2, 2.1.5, 2.0.8, 1.9.
bugzilla·2012-04-02·CVSS 7.5
CVE-2012-1155 [HIGH] CVE-2012-1155 CVE-2012-1156 CVE-2012-1157 CVE-2012-1158 CVE-2012-1159 CVE-2012-1160 CVE-2012-1161 CVE-2012-1168 CVE-2012-1169 CVE-2012-1170 moodle: multiple security fixes in 2.2.2, 2.1.5, 2.0.8, 1.9.
CVE-2012-1155 CVE-2012-1156 CVE-2012-1157 CVE-2012-1158 CVE-2012-1159 CVE-2012-1160 CVE-2012-1161 CVE-2012-1168 CVE-2012-1169 CVE-2012-1170 moodle: multiple security fixes in 2.2.2, 2.1.5, 2.0.8, 1.9.17
A number of flaws have been fixed in new upstream Moodle 2.2.2 [1], 2.1.5
[2], 2.0.8 [3], and 1.9.17 [4] releases. These do not have CVEs assigned
(request pending), and since Fedora/EPEL will rebase to the latest versions
of each branch, I'm summarizing them all here rather than creating a number
of separate bugs.
[1] http://docs.moodle.org/dev/Moodle_2.2.2_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.1.5_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.0.8_release_notes
[4] http://docs.moodle.org/dev/Moodle_1.9.17_release_notes
MSA-12-0013: Database activity export permis
http://secunia.com/advisories/47480http://www.securityfocus.com/bid/51284http://www.securitytracker.com/id?1026497http://www.us-cert.gov/cas/techalerts/TA12-010A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-005https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14197http://secunia.com/advisories/47480http://www.securityfocus.com/bid/51284http://www.securitytracker.com/id?1026497http://www.us-cert.gov/cas/techalerts/TA12-010A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-005https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14197
2012-01-10
Published