cbcvebase.
CVE-2012-0183
published 2012-05-09

CVE-2012-0183: Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for Mac, and Office Compatibility Pack SP2 and SP3 allow remote attackers to execute…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
24.41%
97.6th percentile
Microsoft Word 2003 SP3 and 2007 SP2 and SP3, Office 2008 and 2011 for Mac, and Office Compatibility Pack SP2 and SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, aka "RTF Mismatch Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftword
microsoftword

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:established,to_client; flowbits:set,ETPRO.RTF; file.data; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:5;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:established,to_client; flowbits:set,ET.http.rtf.download; flowbits:noalert; file.data; content:"|7B 5C 72 74 66 31|"; within:6; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:4;)
bytes
|7b 5c 2a 5c|listoverridetable
bytes
|5c|listoverride|5c|
bytes
|7B 5C 72 74 66 31|
  • Detect hostile RTF files exploiting CVE-2012-0183 by looking for a corrupted \listoverridetable structure: the RTF header bytes {\*\ followed by 'listoverridetable', then multiple \listoverride\ entries without a valid \ls<digits>} terminator between them.
  • Flag any HTTP response delivering an RTF file by matching the RTF magic bytes {\rtf1 (hex 7B 5C 72 74 66 31) within the first 6 bytes of file data; use as a flowbit setter to chain with exploit-specific signatures.
  • The vulnerability is triggered via crafted RTF data (RTF Mismatch Vulnerability); network detection should focus on HTTP responses (to_client, established flow) delivering malformed RTF content.
  • ·The Exploit-DB entry (18894) and its associated PoC ZIP describe a related but distinct post-patch pool corruption in win32k!ReadLayoutFile() on Windows XP SP3 (local privilege escalation vector), NOT the RTF remote code execution vector of CVE-2012-0183. The PoC is only loosely associated with this CVE.
  • ·The RTF download flowbit rule (sid:2015790) is set to 'flowbits:noalert', meaning it will not generate alerts on its own — it is intended to be used in conjunction with a follow-on signature that checks for the ETPRO.RTF or ET.http.rtf.download flowbit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.