ID CVE-2012-0003
Summary Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
References
Vulnerable Configurations
  • Microsoft Windows 7
    cpe:2.3:o:microsoft:windows_7
  • Microsoft Windows 7 64-bit Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_7:-:sp1:x64
  • Microsoft Windows 7 x86 Service Pack 1
    cpe:2.3:o:microsoft:windows_7:-:sp1:x86
  • Microsoft Windows Server 2003 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2003:-:sp2
  • Windows Server 2008 Service Pack 2 for 32-bit systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x32
  • Microsoft Windows Server 2008 Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64
  • Microsoft Windows Server 2008 Service Pack 2 for Itanium-Based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium
  • Windows Server 2008 R2 for Itanium-based Systems
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:itanium
  • Windows Server 2008 R2 for 32-bit Systems
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:x64
  • Microsoft Windows Server 2008 r2 Service Pack 1 Itanium
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:itanium
  • Microsoft Windows Server 2008 R2 Service Pack 1 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows Vista Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp2:x64
  • cpe:2.3:o:microsoft:windows_xp:-:sp2:professional_x64
    cpe:2.3:o:microsoft:windows_xp:-:sp2:professional_x64
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • cpe:2.3:o:microsoft:windows_xp:2005:sp3:media_center
    cpe:2.3:o:microsoft:windows_xp:2005:sp3:media_center
CVSS
Base: 9.3 (as of 11-01-2012 - 11:09)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description MS12-004 midiOutPlayNextPolyEvent Heap Overflow. CVE-2012-0003. Remote exploit for windows platform
id EDB-ID:18426
last seen 2016-02-02
modified 2012-01-28
published 2012-01-28
reporter metasploit
source https://www.exploit-db.com/download/18426/
title Windows - midiOutPlayNextPolyEvent Heap Overflow MS12-004
metasploit via4
description This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, msvcrt ROP is used by default. However, if you know your target's patch level, you may also try the 'MSHTML' advanced option for an info leak based attack. Currently, this module only supports two MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3. Or 8.0.6001.19120, which is patch level before the MS12-004 fix. Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
id MSF:EXPLOIT/WINDOWS/BROWSER/MS12_004_MIDI
last seen 2019-01-14
modified 2017-10-05
published 2012-02-01
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms12_004_midi.rb
title MS12-004 midiOutPlayNextPolyEvent Heap Overflow
msbulletin via4
bulletin_id MS12-004
bulletin_url
date 2012-01-10T00:00:00
impact Remote Code Execution
knowledgebase_id 2636391
knowledgebase_url
severity Critical
title Vulnerabilities in Windows Media Could Allow Remote Code Execution
nessus via4
NASL family Windows : Microsoft Bulletins
NASL id SMB_NT_MS12-004.NASL
description The version of Windows Media installed on the remote host is affected by one or both of the following vulnerabilities : - The Winmm.dll library as used by Windows Media Player does not properly handle specially crafted MIDI files. (CVE-2012-0003) - A DirectShow component of DirectX does not properly handle specially crafted media files. (CVE-2012-0004) An attacker who tricked a user on the affected host into opening a specially crafted MIDI or media file could leverage these issues to execute arbitrary code in the context of the current user.
last seen 2019-02-21
modified 2018-11-15
plugin id 57472
published 2012-01-10
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=57472
title MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
oval via4
accepted 2012-05-21T04:00:08.027-04:00
class vulnerability
contributors
  • name Dragos Prisaca
    organization Symantec Corporation
  • name Josh Turpin
    organization Symantec Corporation
  • name Stelios Melachrinoudis
    organization The MITRE Corporation
definition_extensions
  • comment Microsoft Windows XP (x86) SP3 is installed
    oval oval:org.mitre.oval:def:5631
  • comment Microsoft Windows XP x64 Edition SP2 is installed
    oval oval:org.mitre.oval:def:4193
  • comment Microsoft Windows Server 2003 SP2 (x64) is installed
    oval oval:org.mitre.oval:def:2161
  • comment Microsoft Windows Server 2003 SP2 (x86) is installed
    oval oval:org.mitre.oval:def:1935
  • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
    oval oval:org.mitre.oval:def:1442
  • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6124
  • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:5594
  • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    oval oval:org.mitre.oval:def:5653
  • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6216
  • comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6150
description Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."
family windows
id oval:org.mitre.oval:def:14337
status accepted
submitted 2012-01-10T13:00:00
title MIDI Remote Code Execution Vulnerability
version 72
packetstorm via4
data source https://packetstormsecurity.com/files/download/109176/ms12_004_midi.rb.txt
id PACKETSTORM:109176
last seen 2016-12-05
published 2012-01-28
reporter sinn3r
source https://packetstormsecurity.com/files/109176/MS12-004-midiOutPlayNextPolyEvent-Heap-Overflow.html
title MS12-004 midiOutPlayNextPolyEvent Heap Overflow
refmap via4
bid 51292
cert TA12-010A
ms MS12-004
sectrack 1026492
secunia 47485
saint via4
bid 51292
description Windows Media MIDI Invalid Channel
id win_patch_ms12004multimedialib
osvdb 78210
title windows_media_midi_invalid_channel
type client
Last major update 06-03-2013 - 23:50
Published 10-01-2012 - 16:55
Last modified 26-02-2019 - 09:04
Back to Top