CVE-2012-0183
published 2012-05-09CVE-2012-0183: Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for Mac, and Office Compatibility Pack SP2 and SP3 allow remote attackers to execute…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
24.41%
97.6th percentile
Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for Mac, and Office Compatibility Pack SP2 and SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, aka "RTF Mismatch Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:established,to_client; flowbits:set,ETPRO.RTF; file.data; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:5;)snort↗
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:established,to_client; flowbits:set,ET.http.rtf.download; flowbits:noalert; file.data; content:"|7B 5C 72 74 66 31|"; within:6; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:4;)
bytes
|7b 5c 2a 5c|listoverridetable
bytes
|5c|listoverride|5c|
bytes
|7B 5C 72 74 66 31|
- →Detect hostile RTF files exploiting CVE-2012-0183 by looking for a corrupted \listoverridetable structure: the RTF header bytes {\*\ followed by 'listoverridetable', then multiple \listoverride\ entries without a valid \ls<digits>} terminator between them.
- →Flag any HTTP response delivering an RTF file by matching the RTF magic bytes {\rtf1 (hex 7B 5C 72 74 66 31) within the first 6 bytes of file data; use as a flowbit setter to chain with exploit-specific signatures.
- →The vulnerability is triggered via crafted RTF data (RTF Mismatch Vulnerability); network detection should focus on HTTP responses (to_client, established flow) delivering malformed RTF content.
- ·The Exploit-DB entry (18894) and its associated PoC ZIP describe a related but distinct post-patch pool corruption in win32k!ReadLayoutFile() on Windows XP SP3 (local privilege escalation vector), NOT the RTF remote code execution vector of CVE-2012-0183. The PoC is only loosely associated with this CVE. ↗
- ·The RTF download flowbit rule (sid:2015790) is set to 'flowbits:noalert', meaning it will not generate alerts on its own — it is intended to be used in conjunction with a follow-on signature that checks for the ETPRO.RTF or ET.http.rtf.download flowbit.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_CLIENT Microsoft Rich Text File download - SET
suricata·2012-10-10
CVE-2012-0183 ET WEB_CLIENT Microsoft Rich Text File download - SET
ET WEB_CLIENT Microsoft Rich Text File download - SET
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:established,to_client; flowbits:set,ET.http.rtf.download; flowbits:noalert; file.data; content:"|7B 5C 72 74 66 31|"; within:6; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, cve CVE_2012_0183, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride
suricata·2012-05-08
CVE-2012-0183 ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride
ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:established,to_client; flowbits:set,ETPRO.RTF; file.data; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, cve CVE_2012_0183, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_06;)
http://secunia.com/advisories/49111http://www.securityfocus.com/bid/53344http://www.securitytracker.com/id?1027035http://www.us-cert.gov/cas/techalerts/TA12-129A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-029https://exchange.xforce.ibmcloud.com/vulnerabilities/75122https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15327http://secunia.com/advisories/49111http://www.securityfocus.com/bid/53344http://www.securitytracker.com/id?1027035http://www.us-cert.gov/cas/techalerts/TA12-129A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-029https://exchange.xforce.ibmcloud.com/vulnerabilities/75122https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15327
2012-05-09
Published