cbcvebase.
CVE-2012-4792
published 2012-12-30

CVE-2012-4792: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-13
Exploited in the wild
EPSS
78.82%
99.5th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

other0x10ab0d0c
bytes
unescape("%u0d0c%u10ab...")
  • CVE-2012-4792 exploit triggers a use-after-free via DOM manipulation: applyElement, appendChild, and outerText property set on a 'q' element, followed by CollectGarbage(). Look for this JS pattern in web traffic.
  • Exploit heap-spray pattern: 3000 div elements created with className set to repeated 'ab' strings (unescape("ababababababababababababababababababababa")), then freed alternately via CollectGarbage(). Detect this JS pattern in IE page content.
  • Exploit uses window.location set to a %u-encoded string beginning with %u0d0c%u10ab to overwrite the freed CButton vtable pointer and trigger the stale pointer dereference. Detect %u0d0c%u10ab in URL or JS strings.
  • Exploit creates 500 button elements (document.createElement('button')) as part of heap grooming for CButton UAF. Combined with CollectGarbage() calls, this pattern is characteristic of CVE-2012-4792 exploitation.
  • Group 72 (Axiom) C2 domain naming pattern: domains named after intended victim organization, e.g. companyname.attackerdomain.com or companyacronym.attackerdomain.com. Use this pattern for threat hunting in DNS logs.
  • DeputyDog RAT deployed by Group 72 uses campaign codes 'kumanichi' and 'moon'. Hunt for these strings in memory or network traffic associated with DeputyDog/Fexel samples.
  • ·The exploit's heap-spray targets the 21st LFH allocation as the freed CButton replacement, making it unreliable. Detection based on heap-spray counts (20 refills then 21st target) may not generalize to all variants.
  • ·The vulnerability trigger (DOM manipulation block) is wrapped in a try/catch, which may be an artifact of fuzzer-generated code rather than intentional design. Exploit variants may omit the try/catch.
  • ·Snort SIDs listed (e.g. 19484, 27964, etc.) detect Group 72 RAT malware families associated with CVE-2012-4792 campaigns, not the exploit itself. They should be used as post-exploitation/lateral movement indicators.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.