Windows Object Packager Insecure Execution

Added: 01/24/2012
CVE: CVE-2012-0009
BID: 51297
OSVDB: 78212

Background

Windows Object Packager is a tool that can be used to create a package that can be inserted into a file.

Problem

A vulnerability exists in the way the Windows Object Packager registers and implements packages stored on network shares, WebDAV locations, and UNCs. An attacker may exploit this by uploading both a seemingly innocent document that references a malicious object and the malicious object to a file share and tricking a user into opening the document.

Resolution

Apply the patch provided by Microsoft Security Bulletin MS12-002.

References

http://technet.microsoft.com/en-us/security/bulletin/ms12-002

Limitations

This exploit has been tested against Microsoft Office Publisher 2007 SP3 on Windows XP SP3 English (DEP OptIn)

An SMB share which is readable by the target computer, and a user name and password with write access to that share, must be specified. The program smbclient must be available on the SAINT host.

Exploit requires creation of a custom e-mail message specifying an exploit download path '\\smb_server\smb_share\article.pub'.

Platforms

Windows

Back to exploit index