CVE-2012-1856 - Improper Control of Generation of Code ('Code Injection')

Severity

93%

Complexity

86%

Confidentiality

165%

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

CVSS 2.0 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Improper Control of Generation of Code ('Code Injection')

CWE-94

This example attempts to write user messages to a message file and allow users to view them.


               
}
echo "Message Saved!<p>\n";
include($MessageFile);

While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:


               
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:


               
<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages.

Notice that XSS (CWE-79) is also possible in this situation.

Improper Control of Generation of Code ('Code Injection')

CWE-94

edit-config.pl: This CGI script is used to modify settings in a configuration file.


               
}
# code to add a field/key to a file goes here
# code to set key to a particular file goes here
# code to delete key from a particular file goes here
eval($code);# this is super-efficient code, especially if you have to invoke# any one of dozens of different functions!
handleConfigAction($configfile, param('action'));
print "No action specified!\n";

The script intends to take the 'action' parameter and invoke one of a variety of functions based on the value of that parameter - config_file_add_key(), config_file_set_key(), or config_file_delete_key(). It could set up a conditional to invoke each function separately, but eval() is a powerful way of doing the same thing in fewer lines of code, especially when a large number of functions or variables are involved. Unfortunately, in this case, the attacker can provide other values in the action parameter, such as: add_key(",","); system("/bin/ls"); This would produce the following string in handleConfigAction(): config_file_add_key(",","); system("/bin/ls"); Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the "_key(\$fname, \$key, \$val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated.

Overview

Type

Microsoft

First reported 12 years ago

2012-08-15 01:55:00

Last updated 6 years ago

2018-11-07 11:29:00

Affected Software

Microsoft Commerce Server 2002 Service Pack 4

2002

Microsoft Commerce Server 2007 Service Pack 2

2007

Microsoft Commerce Server 2009

2009

Microsoft Commerce Server 2009 R2

2009

Microsoft Host Integration Server (HIS) 2004 Service Pack 1

2004

Microsoft Office 2003 Service Pack 3

2003

Microsoft Office 2007 Service Pack 2

2007

Microsoft Office 2007 Service Pack 3

2007

Microsoft Office 2010 for x86 (32-bit Systems) Service Pack 1

2010

Microsoft Office 2003 Web Components Service Pack 3

2003

Microsoft SQL Server 2000 Service Pack 4

2000

Microsoft SQL Server 2000 Service Pack 4 Analysis Services

2000

Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4

2005

Microsoft SQL Server 2005 Service Pack 4 Itanium

2005

Microsoft SQL Server 2005 Service Pack 4 64-bit (X64)

2005

Microsoft SQL Server 2005 Service Pack 4 x86 (32-bit)

2005

Microsoft SQL Server 2008 R2 Itanium

2008

Microsoft SQL Server 2008 R2 64-bit (X64)

2008

Microsoft SQL Server 2008 R2 x86 (32-bit)

2008

Microsoft SQL Server 2008 R2 Service Pack 1 Itanium

2008

Microsoft SQL Server 2008 R2 Service Pack 1 X64 (64-bit)

2008

Microsoft SQL Server 2008 R2 Service Pack 1 x86 (32-bit)

2008

Microsoft SQL Server 2008 R2 Service Pack 2 Itanium

2008

Microsoft SQL Server 2008 R2 Service Pack 2X64 (64-bit)

2008

Microsoft SQL Server 2008 R2 Service Pack 2 x86 (32-bit)

2008

Microsoft SQL Server 2008 Service Pack 2 Itanium Based System

2008

Microsoft SQL Server 2008 Service Pack 2 64-bit (X64)

2008

Microsoft SQL Server 2008 Service Pack 2 x86 (32-bit)

2008

Microsoft SQL Server 2008 Service Pack 3 Itanium Based System

2008

Microsoft SQL Server 2008 Service Pack 3 64-bit (X64)

2008

Microsoft SQL Server 2008 Service Pack 3 x86 (32-bit)

2008

Microsoft Visual Basic 6.0 Runtime

6.0

Microsoft Visual FoxPro 8.0 Service Pack 1

8.0

Microsoft Visual FoxPro 9.0 Service Pack 2

9.0

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.