Windows OLE Package Manager CPackage::DoVerb() INF File Download Vulnerability

2014-10-24T00:00:00
ID SAINT:E2FE3BD2C8BE9674A313F7C730012F43
Type saint
Reporter SAINT Corporation
Modified 2014-10-24T00:00:00

Description

Added: 10/24/2014
CVE: CVE-2014-4114
BID: 70419
OSVDB: 113140

Background

OLE (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats. For example, a compound Microsoft Word document may contain an embedded Microsoft Excel spreadsheet (or OLE object). This technology also enables in-place editing; instead of launching a new application when an OLE object is activated, the user instead sees a new set of menu items inside their existing application.

Setup information files (.INF file extension) are scripts containing registry commands that support the launching of executables by using an "install" verb. The system registry stores an instruction that assists in running the install verb specified within .INF files.

This exploit is publicly known as Sandworm because the vulnerability has been exploited in the wild by Russian attackers known as the Sandworm team.

Problem

Microsoft Windows OLE package manager (packager.dll) contains a flaw in the CPackage::DoVerb() function that allows downloading and executing INF files. A remote attacker who entices a vulnerable user to open a specially crafted PowerPoint document may be able to execute arbitrary commands in the context of the user.

Resolution

Apply the patch as described in Microsoft Security Bulletin MS14-060.

References

<https://technet.microsoft.com/library/security/ms14-060>
<http://www.isightpartners.com/2014/10/cve-2014-4114/>

Limitations

Exploit works on Microsoft Windows 7 SP1 64-bit with Microsoft Office 2013.

One of the programs **smbclient** or **mount_smbfs** must be available on the SAINT host.

An SMB share which is anonymously readable by the target computer, and a user name and password with write access to that share, must be specified.

Platforms

Windows 7