Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS17_APR_4014793.NASL
HistoryOct 20, 2017 - 12:00 a.m.

KB4014793: Microsoft Wordpad Remote Code Execution vulnerability (April 2017)

2017-10-2000:00:00
This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1024
JSON

The remote Windows host is missing security update KB4014793. It is, therefore, affected by a remote code execution vulnerability in Windows WordPad due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(104044);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/30");

  script_cve_id("CVE-2017-0199");
  script_bugtraq_id(97498);
  script_xref(name:"MSKB", value:"4014793");
  script_xref(name:"MSFT", value:"MS17-4014793");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"KB4014793: Microsoft Wordpad Remote Code Execution vulnerability (April 2017)");
  script_summary(english:"Checks the Wordpad.exe file version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by an information disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update KB4014793. It is, 
therefore, affected by a remote code execution vulnerability in Windows 
WordPad due to improper validation of user-supplied input. 
An unauthenticated, remote attacker can exploit this, by convincing a 
user to open a specially crafted file, to execute arbitrary code.");
  # https://support.microsoft.com/en-us/help/4014793/title
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b841e949");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d5b7803");
  script_set_attribute(attribute:"solution", value:
"Apply security update KB4014793.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0199");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft Office Word Malicious Hta Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS17-04';
kbs = make_list("4014793");

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2') <= 0)
  audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

systemroot = hotfix_get_systemroot();
if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');

port = kb_smb_transport();
login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

if (hotfix_check_fversion_init() == HCF_CONNECT) exit(0, "Unable to create SMB session.");

winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:systemroot);
winsxs_share = hotfix_path2share(path:systemroot);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, winsxs_share);
}

vuln = 0;

# hotfix_check_winsxs opens another share
# we need to save state so our session can be restored
smb_session = make_array(
  'login',    login,
  'password', pass,
  'domain',   domain,
  'share',    winsxs_share
);

files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft-windows-wordpad", file_pat:"^wordpad\.exe$", max_recurse:1);
vuln += hotfix_check_winsxs(
  os:'6.0',
  sp:2,
  files:files,
  versions:make_list('6.0.6002.19755', '6.0.6002.24078'),
  max_versions:make_list('6.0.6002.21000', '6.0.6003.99999'),
  bulletin:bulletin,
  kb:"4014793",
  session:smb_session
);

if (vuln > 0)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

saint 3
threatpost 14
malwarebytes 9
fireeye 16
thn 7
metasploit 1
mscve 1
myhack58 14
cisa_kev 1
openvas 8
packetstorm 3
securelist 25
zdt 4
exploitpack 2
mskb 9
talosblog 9
checkpoint_advisories 1
attackerkb 1
ics 6
cve 1
prion 1
hivepro 2
mssecure 2
rapid7community 2
seebug 2
cert 1
exploitdb 3
avleonov 1
kaspersky 4
canvas 1
trellix 2
nessus 5
qualysblog 5
saint
saint
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
Microsoft Word and WordPad RTF HTA handler command execution
2017-04-20 00:00:00
threatpost
threatpost
Spy Campaign Spams Pro-Tibet Group With ExileRAT
2019-02-04 20:45:00
AZORult Campaign Adopts Novel Triple-Encryption Technique
2020-02-03 20:58:25
Stealthy Malware Hidden in Images Takes to GoogleUserContent
2018-07-19 19:29:29
malwarebytes
malwarebytes
Blocks for Flash and others coming to Office 365
2018-06-01 15:00:00
Fake IRS notice delivers customized spying tool
2017-09-21 15:00:24
APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT
2020-03-16 15:00:00
fireeye
fireeye
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
2017-04-11 13:30:00
Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit
2017-06-27 17:30:00
CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler
2017-04-11 13:30:00
thn
thn
Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry
2017-06-27 03:32:00
Indian-Made Mobile Spyware Targeted Human Rights Activist in Togo
2021-10-11 09:21:00
Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit
2017-04-12 21:41:00
metasploit
metasploit
Microsoft Office Word Malicious Hta Execution
2017-04-15 02:32:48
mscve
mscve
Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
2017-04-11 07:00:00
myhack58
myhack58
CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net
2017-04-13 00:00:00
CVE-2017-0199: in-depth analysis of the Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net
2017-06-08 00:00:00
A newline character causes the Oscar vulnerability 0day(CVE-2017-8759)reproduction-latest Office the highest level of threat attack warning-vulnerability warning-the black bar safety net
2017-09-13 00:00:00
cisa_kev
cisa_kev
Microsoft Office and WordPad Remote Code Execution Vulnerability
2021-11-03 00:00:00
openvas
openvas
Microsoft Office Suite Remote Code Execution Vulnerability (KB3178710)
2017-04-12 00:00:00
Microsoft Office Suite Remote Code Execution Vulnerability (KB3141529)
2017-04-12 00:00:00
Microsoft Office Suite Remote Code Execution Vulnerability (KB3178703)
2017-04-12 00:00:00
packetstorm
packetstorm
Microsoft Office Word Malicious Hta Execution
2017-04-24 00:00:00
Microsoft RTF Remote Code Execution
2017-04-19 00:00:00
Microsoft Word MTA Handler Remote Code Execution
2017-06-27 00:00:00
securelist
securelist
RevengeHotels: cybercrime targeting hotel front desks worldwide
2019-11-28 10:00:48
The BlueNoroff cryptocurrency hunt is still on
2022-01-13 09:00:23
APT Trends report Q3 2017
2017-11-14 09:41:27
zdt
zdt
Microsoft Word - .RTF Remote Code Execution Exploit
2017-04-19 00:00:00
Microsoft Office / WordPad Remote Code Execution Vulnerability
2017-04-16 00:00:00
Microsoft Excel - OLE Arbitrary Code Execution Exploit
2017-10-18 00:00:00
exploitpack
exploitpack
Microsoft Word - .RTF Remote Code Execution
2017-04-18 00:00:00
Microsoft Office - Composite Moniker Remote Code Execution
2018-01-09 00:00:00
mskb
mskb
Description of the security update for Office 2013: April 11, 2017
2017-04-11 07:00:00
Description of the security update for Office 2016: April 11, 2017
2017-04-11 07:00:00
Description of the security update for Office 2010: April 11, 2017
2017-04-11 07:00:00
talosblog
talosblog
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
2022-09-28 12:12:00
JhoneRAT: Cloud based python RAT targeting Middle Eastern countries
2020-01-19 02:58:29
Threat Round Up For Sept 8 - Sept 15
2017-09-15 13:10:00
checkpoint_advisories
checkpoint_advisories
Microsoft Outlook Remote Code Execution (CVE-2017-0199)
2017-04-11 00:00:00
attackerkb
attackerkb
CVE-2017-0199
2017-04-12 00:00:00
ics
ics
Dridex Malware
2020-06-30 12:00:00
Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
2022-02-24 12:00:00
Top 10 Routinely Exploited Vulnerabilities
2020-05-12 12:00:00
cve
cve
CVE-2017-0199
2017-04-12 14:59:00
prion
prion
Remote code execution
2017-04-12 14:59:00
hivepro
hivepro
SnatchCrypto campaign carried out by North Korean APT 38 subsidiary BlueNoroff
2022-01-14 06:23:18
Actors, Threats and Vulnerabilities 08 to 14 May 2023
2023-05-16 06:27:25
mssecure
mssecure
Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis
2018-07-11 18:50:14
Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks
2017-11-21 13:46:01
rapid7community
rapid7community
Patch Tuesday - April 2017
2017-04-12 03:13:07
Metasploit Weekly Wrapup
2017-05-05 20:37:48
seebug
seebug
Microsoft Office OLE2Link vulnerability (CVE-2017-0199)
2017-04-12 00:00:00
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
2017-09-14 00:00:00
cert
cert
Microsoft OLE URL Moniker improperly handles remotely-linked HTA data
2017-04-10 00:00:00
exploitdb
exploitdb
Microsoft Office Word - &#039;.RTF&#039; Malicious HTA Execution (Metasploit)
2017-04-25 00:00:00
Microsoft Word - &#039;.RTF&#039; Remote Code Execution
2017-04-18 00:00:00
Microsoft Office - &#039;Composite Moniker Remote Code Execution
2018-01-09 00:00:00
avleonov
avleonov
Petya the Great and why *they* don’t patch vulnerabilities
2017-06-29 21:29:50
kaspersky
kaspersky
KLA10995 Multiple arbitrary code execution vulnerabilities in Microsoft office
2016-09-09 00:00:00
KLA11024 Defense-in-Depth Update for Microsoft Office
2017-04-11 00:00:00
KLA11059 Multiple vulnerabilities in Microsoft Windows
2017-04-11 00:00:00
canvas
canvas
Immunity Canvas: OFFICE_WSDL
2017-09-13 01:29:00
trellix
trellix
The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain
2023-08-24 00:00:00
The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain
2023-08-24 00:00:00
nessus
nessus
Security Update for Microsoft Office Products (April 2017) (Petya)
2017-04-12 00:00:00
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)
2017-03-20 00:00:00
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
2017-03-15 00:00:00
qualysblog
qualysblog
Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins
2017-04-11 18:24:03
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
2019-12-27 18:01:22
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
2023-07-18 13:38:53
JSON
Related for SMB_NT_MS17_APR_4014793.NASL
saint3threatpost14malwarebytes9fireeye16thn7metasploit1mscve1myhack5814cisa_kev1openvas8packetstorm3securelist25zdt4exploitpack2mskb9talosblog9checkpoint_advisories1attackerkb1ics6cve1prion1hivepro2mssecure2rapid7community2seebug2cert1exploitdb3avleonov1kaspersky4canvas1trellix2nessus5qualysblog5