CVE-2012-4792
published 2012-12-30CVE-2012-4792: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-13
Exploited in the wild
EPSS
78.82%
99.5th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
unescape("%u0d0c%u10ab...")- →CVE-2012-4792 exploit triggers a use-after-free via DOM manipulation: applyElement, appendChild, and outerText property set on a 'q' element, followed by CollectGarbage(). Look for this JS pattern in web traffic. ↗
- →Exploit heap-spray pattern: 3000 div elements created with className set to repeated 'ab' strings (unescape("ababababababababababababababababababababa")), then freed alternately via CollectGarbage(). Detect this JS pattern in IE page content. ↗
- →Exploit uses window.location set to a %u-encoded string beginning with %u0d0c%u10ab to overwrite the freed CButton vtable pointer and trigger the stale pointer dereference. Detect %u0d0c%u10ab in URL or JS strings. ↗
- →Exploit creates 500 button elements (document.createElement('button')) as part of heap grooming for CButton UAF. Combined with CollectGarbage() calls, this pattern is characteristic of CVE-2012-4792 exploitation. ↗
- →Group 72 (Axiom) C2 domain naming pattern: domains named after intended victim organization, e.g. companyname.attackerdomain.com or companyacronym.attackerdomain.com. Use this pattern for threat hunting in DNS logs. ↗
- →DeputyDog RAT deployed by Group 72 uses campaign codes 'kumanichi' and 'moon'. Hunt for these strings in memory or network traffic associated with DeputyDog/Fexel samples. ↗
- ·The exploit's heap-spray targets the 21st LFH allocation as the freed CButton replacement, making it unreliable. Detection based on heap-spray counts (20 refills then 21st target) may not generalize to all variants. ↗
- ·The vulnerability trigger (DOM manipulation block) is wrapped in a try/catch, which may be an artifact of fuzzer-generated code rather than intentional design. Exploit variants may omit the try/catch. ↗
- ·Snort SIDs listed (e.g. 19484, 27964, etc.) detect Group 72 RAT malware families associated with CVE-2012-4792 campaigns, not the exploit itself. They should be used as post-exploitation/lateral movement indicators. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c5c8-vqpp-hm75: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that
ghsa_unreviewed·2022-05-13
CVE-2012-4792 [HIGH] CWE-416 GHSA-c5c8-vqpp-hm75: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
VulnCheck
Microsoft Internet Explorer Use-After-Free Vulnerability
vulncheck·2012·CVSS 8.8
CVE-2012-4792 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer contains a use-after-free vulnerability that allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.
Affected: Microsoft Internet Explorer
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; https://www.cve.org/CVERecord?id=CVE-2012-4792; https://cisa.gov/news-events/alerts/2013/01/15/microsoft-releases-update-internet-explorer-vulnerability-cve-2012; https://kung_foo.keybase.
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2024-07-23·CVSS 8.8
CVE-2012-4792 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a use-after-free vulnerability that allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://learn.microsoft.com/en-us/lifecycle/products/internet-explorer-11; https://nvd.nist.gov/vuln/detail/CVE-2012-4792
Remediation Due Date: 2024-08-13
Suricata
ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain
suricata·2012-12-30·CVSS 8.8
CVE-2012-4792 [HIGH] ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain
ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; dns.query; content:"provide.yourtrap.com"; startswith; fast_pattern; nocase; endswith; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:command-and-control; sid:2016135; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_30, cve CVE_2012_4792, deployment Perimeter, confidence Medium, signature_severity Major, tag DriveBy, tag CISA_KEV, updated_at 2024_04_13;)
Exploit-DB
Microsoft Internet Explorer - CButton Object Use-After-Free (Metasploit)
exploitdb·2013-01-02
CVE-2012-4792 Microsoft Internet Explorer - CButton Object Use-After-Free (Metasploit)
Microsoft Internet Explorer - CButton Object Use-After-Free (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CButton obje
Exploit-DB
Microsoft Internet Explorer - CDwnBindInfo Object Use-After-Free (Metasploit)
exploitdb·2012-12-31
CVE-2012-4792 Microsoft Internet Explorer - CDwnBindInfo Object Use-After-Free (Metasploit)
Microsoft Internet Explorer - CDwnBindInfo Object Use-After-Free (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CDwnBindInfo object is freed by
FollowHyperlink2, but a reference is kept in CDoc. As a result, when the reference
is used again during a page reload, an invalid memory that's controllable is used,
and al
Metasploit
MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
metasploit
MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Talos
Threat Spotlight: Group 72
blogs_talos·2014-10-14
Threat Spotlight: Group 72
This post is co-authored by Joel Esler, Martin Lee and Craig Williams.
Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.
Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat actors from the crowd of malici
Talos
Threat Spotlight: Group 72
blogs_talos·2014-10-14
Threat Spotlight: Group 72
## Threat Spotlight: Group 72
This post is co-authored by Joel Esler , Martin Lee and Craig Williams. Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.
Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat
Trailofbits
Writing Exploits with the Elderwood Kit (Part 2)
blogs_trailofbits·2013-05-20
Writing Exploits with the Elderwood Kit (Part 2)
In the final part of our three-part series, we investigate the how the toolkit user gained control of program flow and what their strategy means for the reliability of their exploit.
Elderwood and the Department of Labor Hack
Writing Exploits with the Elderwood Kit (Part 1)
Writing Exploits with the Elderwood Kit (Part 2)
Last time, we talked about how the Elderwood kit does almost everything for the kit user except give them a vulnerability to use. We think it is up to the user to discover a vulnerability, trigger and exploit it, then integrate it with the kit. Our analysis indicates that their knowledge of how to do this is poor and the reliability of the exploit suffered as a result. In the sections that follow, we walk through each section of the exploit that the user had to write
Trailofbits
Writing Exploits with the Elderwood Kit (Part 2)
blogs_trailofbits·2013-05-20
Writing Exploits with the Elderwood Kit (Part 2)
In the final part of our three-part series, we investigate the how the toolkit user gained control of program flow and what their strategy means for the reliability of their exploit.
- Elderwood and the Department of Labor Hack
- Writing Exploits with the Elderwood Kit (Part 1)
- Writing Exploits with the Elderwood Kit (Part 2)
Last time, we talked about how the Elderwood kit does almost everything for the kit user except give them a vulnerability to use. We think it is up to the user to discover a vulnerability, trigger and exploit it, then integrate it with the kit. Our analysis indicates that their knowledge of how to do this is poor and the reliability of the exploit suffered as a result. In the sections that follow, we walk through each section of the exploit that the user had to wr
Zscaler
Zscaler found 0Day Vulnerability in IE | 12-31-2012
blogs_zscaler
Zscaler found 0Day Vulnerability in IE | 12-31-2012
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Axiom (Axiom, Group 72)
threat_intel·CVSS 8.8
[HIGH] Axiom (Axiom, Group 72)
# Threat Actor Profile: Axiom
ATT&CK ID: G0001
Also known as: Axiom, Group 72
Suspected origin: China
## Overview
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)
## Techniques (TTPs)
### Resource Development
- T1584.005 Botnet
Usage: Axiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)
- T1583.002 DNS Server
Usage: Axiom has acquired dynamic DNS ser
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
SOK: On the Analysis of Web Browser Security
arxiv_fulltext·2021-12-31
SOK: On the Analysis of Web Browser Security
: On the Analysis of Web Browser Security
fancyplain
Rev.
\ of LastPage
Jungwon Lim*,\;
Yonghwi Jin*^ ,\;
Mansour Alharthi,\;
Xiaokuan Zhang,\;
Jinho Jung,\;
Rajat Gupta,\;
Kuilin Li,\;
Daehee Jang^ ,\;
Taesoo Kim\;
Georgia Institute of Technology ^ Theori Inc. ^ Sungshin Women's University
## Abstract
Web browsers are integral parts of everyone's daily life.
They are commonly used
for security-critical and privacy sensitive tasks,
like banking transactions and checking medical records.
Unfortunately,
modern web browsers are
too complex to be bug free
( , 25 million lines of code in Chrome),
and their role as an interface to the cyberspace
makes them an attractive target for attacks.
Accordingly,
web browsers naturally
become an arena for demonstrating
advanced exploitation techni
arXiv
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
arxiv_fulltext·2018-08-08
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Daehee Jang
KAIST
[email protected]
Hojoon Lee
KAIST
[email protected]
Brent Byunghoon Kang
KAIST
[email protected]
Michael Shell
Georgia Institute of Technology
[email protected]
Homer Simpson
Twentieth Century Fox
[email protected]
James Kirk
and Montgomery Scott
Starfleet Academy
[email protected]
\@IEEEpubidpullup9
Permission to freely reproduce all or part
of this paper for noncommercial purposes is granted provided that
copies bear this notice and the full citation on the first
page. Reproduction for commercial purposes is strictly prohibited
without the prior written consent of the Internet Society, the
first-named author (for reproduction of an entire paper only), and
the
arXiv
Unsupervised Anomaly-based Malware Detection using Hardware Features
arxiv_fulltext·2014-03-28
Unsupervised Anomaly-based Malware Detection using Hardware Features
Unsupervised Anomaly-based Malware Detection using Hardware Features
1
Adrian Tang 0.2in Simha Sethumadhavan 0.2in Salvatore Stolfo
1in
Department of Computer Science
Columbia University
New York, NY, USA
\atang, simha, sal\@cs.columbia.edu
empty
## Abstract
Recent works have shown promise in using microarchitectural execution
patterns to detect malware programs. These detectors belong to a
class of detectors known as signature-based detectors as they
catch malware by comparing a program's execution pattern (signature)
to execution patterns of known malware programs. In this
work, we propose a new class of detectors --- anomaly-based hardware
malware detectors --- that do not require signatures for malware
detection, and thus can catch a wider range of malware including
potential
http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.htmlhttp://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspxhttp://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspxhttp://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day/http://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.htmlhttp://technet.microsoft.com/security/advisory/2794220http://www.kb.cert.org/vuls/id/154201http://www.us-cert.gov/cas/techalerts/TA13-008A.htmlhttp://www.us-cert.gov/cas/techalerts/TA13-015A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-008https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rbhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16361http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.htmlhttp://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspxhttp://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspxhttp://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day/http://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.htmlhttp://technet.microsoft.com/security/advisory/2794220http://www.kb.cert.org/vuls/id/154201http://www.us-cert.gov/cas/techalerts/TA13-008A.htmlhttp://www.us-cert.gov/cas/techalerts/TA13-015A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-008https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rbhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16361https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-4792
2012-12-30
Published
2024-07-23
Added to CISA KEV
Exploited in the wild