{"id": "PACKETSTORM:113644", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ESRI ArcMap Arbitrary Code Execution", "description": "", "published": "2012-06-14T00:00:00", "modified": "2012-06-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html", "reporter": "Boston Cyber Defense", "references": [], "cvelist": ["CVE-2012-1661"], "lastseen": "2016-12-05T22:21:47", "viewCount": 6, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2016-12-05T22:21:47", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1661"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28163", "SECURITYVULNS:VULN:12424"]}, {"type": "exploitdb", "idList": ["EDB-ID:19138"]}, {"type": "seebug", "idList": ["SSV:73098"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B313192E398E729D1D9CDC6109498251"]}], "modified": "2016-12-05T22:21:47", "rev": 2}, "vulnersScore": 7.6}, "sourceHref": "https://packetstormsecurity.com/files/download/113644/arcgis-exec.txt", "sourceData": "`Description: \n \nOpening a specially crafted mxd file will execute arbitrary \ncode without prompting and without a crash of the application. \nThis is due to a flaw in the programs ability to prompt a user \nbefore executing embedded VBA. Mxd files are not filtered by \nemail systems so this allows a remote attacker to trick a user \ninto opening a map file via email and unknowingly gain control \nover their system. \n \nVersions affected (maybe more): \n \nArcMap 9 \n \nArcGIS Desktop 10 \nRelease Version: 10.0 \nProduct Version: 10.0.1.2800 \nArcGIS Service Pack: 1 (build 10.0.1.2800) \n \nArcGIS Desktop 10 \nRelease Version: 10.0 \nProduct Version: 10.0.2.3200 \nArcGIS Service Pack: 2 (build 10.0.2.3200) \n \n \nProof of concept: \n \nIf the following macro is implemented in the project \nthe Shell statements will be executed when the \ndocument is opened without prompt. \n \nPrivate Function MxDocument_OpenDocument() As Boolean \nShell \"calc.exe\", vbNormalFocus \nShell \"cmd /c start \nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm\", \nvbNormalFocus \nEnd Function \n \nVideo at site: \n \nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661 \n`\n"}

{"cve": [{"lastseen": "2021-02-02T05:59:47", "description": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.", "edition": 6, "cvss3": {}, "published": "2012-07-12T21:55:00", "title": "CVE-2012-1661", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1661"], "modified": "2012-07-16T04:00:00", "cpe": ["cpe:/a:esri:arcgis:10.0.2.3200", "cpe:/a:esri:arcgis:9.0", "cpe:/a:esri:arcmap:9.0"], "id": "CVE-2012-1661", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1661", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:esri:arcgis:10.0.2.3200:*:*:*:*:*:*:*", "cpe:2.3:a:esri:arcmap:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:esri:arcgis:9.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "cvelist": ["CVE-2012-1661"], "description": "Description:\r\n\r\nOpening a specially crafted mxd file will execute arbitrary\r\ncode without prompting and without a crash of the application.\r\nThis is due to a flaw in the programs ability to prompt a user\r\nbefore executing embedded VBA. Mxd files are not filtered by\r\nemail systems so this allows a remote attacker to trick a user\r\ninto opening a map file via email and unknowingly gain control\r\nover their system.\r\n\r\nVersions affected (maybe more):\r\n\r\nArcMap 9\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.1.2800\r\nArcGIS Service Pack: 1 (build 10.0.1.2800)\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.2.3200\r\nArcGIS Service Pack: 2 (build 10.0.2.3200)\r\n\r\n\r\nProof of concept:\r\n\r\nIf the following macro is implemented in the project\r\nthe Shell statements will be executed when the\r\ndocument is opened without prompt.\r\n\r\nPrivate Function MxDocument_OpenDocument() As Boolean\r\n Shell "calc.exe", vbNormalFocus\r\n Shell "cmd /c start\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm",\r\nvbNormalFocus\r\nEnd Function\r\n\r\nVideo at site:\r\n\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661\r\n", "edition": 1, "modified": "2012-06-17T00:00:00", "published": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28163", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28163", "title": "CVE-2012-1661 - ESRI ArcMap arbitrary code execution via crafted map file.", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-1661"], "description": "MXD files may contain VBS scripts.", "edition": 1, "modified": "2012-06-17T00:00:00", "published": "2012-06-17T00:00:00", "id": "SECURITYVULNS:VULN:12424", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12424", "title": "ESRI ArcMap code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T11:09:42", "description": "ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution. CVE-2012-1661. Local exploit for windows platform", "published": "2012-06-14T00:00:00", "type": "exploitdb", "title": "ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1661"], "modified": "2012-06-14T00:00:00", "id": "EDB-ID:19138", "href": "https://www.exploit-db.com/exploits/19138/", "sourceData": "=====\r\nTITLE\r\n=====\r\n\r\nESRI ArcMap Arbitrary Code Execution Via Crafted Map File\r\n\r\n============\r\nDescription:\r\n============\r\n\r\nOpening a specially crafted mxd file will execute arbitrary\r\ncode without prompting and without a crash of the application.\r\nThis is due to a flaw in the programs ability to prompt a user\r\nbefore executing embedded VBA. Mxd files are not filtered by\r\nemail systems so this allows a remote attacker to trick a user\r\ninto opening a map file via email and unknowingly gain control\r\nover their system.\r\n\r\n===============================\r\nVersions affected (maybe more):\r\n===============================\r\nArcMap 9\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.1.2800\r\nArcGIS Service Pack: 1 (build 10.0.1.2800)\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.2.3200\r\nArcGIS Service Pack: 2 (build 10.0.2.3200)\r\n\r\n=================\r\nProof of concept:\r\n=================\r\n\r\nIf the following macro is implemented in the project\r\nthe Shell statements will be executed when the\r\ndocument is opened without prompt.\r\n\r\nPrivate Function MxDocument_OpenDocument() As Boolean\r\nShell \"calc.exe\", vbNormalFocus\r\nShell \"cmd /c start\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm\",\r\nvbNormalFocus\r\nEnd Function\r\n\r\nVideo at site:\r\n\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19138/"}], "seebug": [{"lastseen": "2017-11-19T15:36:56", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1661"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-73098", "id": "SSV:73098", "sourceData": "\n =====\r\nTITLE\r\n=====\r\n\r\nESRI ArcMap Arbitrary Code Execution Via Crafted Map File\r\n\r\n============\r\nDescription:\r\n============\r\n\r\nOpening a specially crafted mxd file will execute arbitrary\r\ncode without prompting and without a crash of the application.\r\nThis is due to a flaw in the programs ability to prompt a user\r\nbefore executing embedded VBA. Mxd files are not filtered by\r\nemail systems so this allows a remote attacker to trick a user\r\ninto opening a map file via email and unknowingly gain control\r\nover their system.\r\n\r\n===============================\r\nVersions affected (maybe more):\r\n===============================\r\nArcMap 9\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.1.2800\r\nArcGIS Service Pack: 1 (build 10.0.1.2800)\r\n\r\nArcGIS Desktop 10\r\nRelease Version: 10.0\r\nProduct Version: 10.0.2.3200\r\nArcGIS Service Pack: 2 (build 10.0.2.3200)\r\n\r\n=================\r\nProof of concept:\r\n=================\r\n\r\nIf the following macro is implemented in the project\r\nthe Shell statements will be executed when the\r\ndocument is opened without prompt.\r\n\r\nPrivate Function MxDocument_OpenDocument() As Boolean\r\nShell "calc.exe", vbNormalFocus\r\nShell "cmd /c start\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm",\r\nvbNormalFocus\r\nEnd Function\r\n\r\nVideo at site:\r\n\r\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-73098"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:13", "description": "\nESRI ArcGIS 10.0.x ArcMap 9 - Arbitrary Code Execution", "edition": 1, "published": "2012-06-14T00:00:00", "title": "ESRI ArcGIS 10.0.x ArcMap 9 - Arbitrary Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1661"], "modified": "2012-06-14T00:00:00", "id": "EXPLOITPACK:B313192E398E729D1D9CDC6109498251", "href": "", "sourceData": "=====\nTITLE\n=====\n\nESRI ArcMap Arbitrary Code Execution Via Crafted Map File\n\n============\nDescription:\n============\n\nOpening a specially crafted mxd file will execute arbitrary\ncode without prompting and without a crash of the application.\nThis is due to a flaw in the programs ability to prompt a user\nbefore executing embedded VBA. Mxd files are not filtered by\nemail systems so this allows a remote attacker to trick a user\ninto opening a map file via email and unknowingly gain control\nover their system.\n\n===============================\nVersions affected (maybe more):\n===============================\nArcMap 9\n\nArcGIS Desktop 10\nRelease Version: 10.0\nProduct Version: 10.0.1.2800\nArcGIS Service Pack: 1 (build 10.0.1.2800)\n\nArcGIS Desktop 10\nRelease Version: 10.0\nProduct Version: 10.0.2.3200\nArcGIS Service Pack: 2 (build 10.0.2.3200)\n\n=================\nProof of concept:\n=================\n\nIf the following macro is implemented in the project\nthe Shell statements will be executed when the\ndocument is opened without prompt.\n\nPrivate Function MxDocument_OpenDocument() As Boolean\nShell \"calc.exe\", vbNormalFocus\nShell \"cmd /c start\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661.htm\",\nvbNormalFocus\nEnd Function\n\nVideo at site:\n\nhttp://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}