{"kaspersky": [{"lastseen": "2019-02-19T17:03:06", "bulletinFamily": "info", "description": "### *Detect date*:\n03/10/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code or conduct code injection.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 x86, x64 Service Pack 2 \nMicrosoft Office 2013 x86, x64 \nMicrosoft Office 2013 x86, x64 Service Pack 1 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoint Server 2013 Service Pack 1 \nMicrosoft SharePoint Server 2013 \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps 2013 \nMicrosoft Office Web Apps 2013 Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS advisory](<https://technet.microsoft.com/library/security/MS15-022>) \n[CVE-2015-1636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1636>) \n[CVE-2015-0085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0085>) \n[CVE-2015-0086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0086>) \n[CVE-2015-1633](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1633>) \n[CVE-2015-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0097>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2015-1636](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1636>) \n[CVE-2015-0085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0085>) \n[CVE-2015-0086](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0086>) \n[CVE-2015-1633](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1633>) \n[CVE-2015-0097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0097>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2956183](<http://support.microsoft.com/kb/2956183>) \n[2956181](<http://support.microsoft.com/kb/2956181>) \n[2956180](<http://support.microsoft.com/kb/2956180>) \n[2880473](<http://support.microsoft.com/kb/2880473>) \n[2956189](<http://support.microsoft.com/kb/2956189>) \n[2956188](<http://support.microsoft.com/kb/2956188>) \n[2881078](<http://support.microsoft.com/kb/2881078>) \n[2956069](<http://support.microsoft.com/kb/2956069>) \n[2920812](<http://support.microsoft.com/kb/2920812>) \n[2889839](<http://support.microsoft.com/kb/2889839>) \n[2956109](<http://support.microsoft.com/kb/2956109>) \n[2956103](<http://support.microsoft.com/kb/2956103>) \n[2956175](<http://support.microsoft.com/kb/2956175>) \n[2956107](<http://support.microsoft.com/kb/2956107>) \n[2956106](<http://support.microsoft.com/kb/2956106>) \n[2956208](<http://support.microsoft.com/kb/2956208>) \n[2956163](<http://support.microsoft.com/kb/2956163>) \n[3038999](<http://support.microsoft.com/kb/3038999>) \n[2956143](<http://support.microsoft.com/kb/2956143>) \n[2956142](<http://support.microsoft.com/kb/2956142>) \n[2956076](<http://support.microsoft.com/kb/2956076>) \n[2881068](<http://support.microsoft.com/kb/2881068>) \n[2760361](<http://support.microsoft.com/kb/2760361>) \n[2899580](<http://support.microsoft.com/kb/2899580>) \n[2760554](<http://support.microsoft.com/kb/2760554>) \n[2956136](<http://support.microsoft.com/kb/2956136>) \n[2956151](<http://support.microsoft.com/kb/2956151>) \n[2956153](<http://support.microsoft.com/kb/2956153>) \n[2984939](<http://support.microsoft.com/kb/2984939>) \n[2956158](<http://support.microsoft.com/kb/2956158>) \n[2956138](<http://support.microsoft.com/kb/2956138>) \n[2956139](<http://support.microsoft.com/kb/2956139>) \n[2760508](<http://support.microsoft.com/kb/2760508>) \n[2920731](<http://support.microsoft.com/kb/2920731>) \n[2737989](<http://support.microsoft.com/kb/2737989>) \n[2883100](<http://support.microsoft.com/kb/2883100>)", "modified": "2019-02-15T00:00:00", "published": "2015-03-10T00:00:00", "id": "KLA10469", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10469", "title": "\r KLA10469Multiple vulnerabilities in Microsoft products ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-19T17:02:36", "bulletinFamily": "info", "description": "### *Detect date*:\n04/14/2015\n\n### *Severity*:\nWarning\n\n### *Description*:\nAn XSS vulnerabilities were found in Microsoft Sharepoint. By exploiting these vulnerabilities malicious users can inject arbitrary scripts. These vulnerabilities can be exploited remotely via a specially designed request.\n\n### *Affected products*:\nMicrosoft SharePoint Server 2013 Service Pack 1 \nMicrosoft SharePoint Server 2010 Service Pack 2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-036](<https://technet.microsoft.com/en-us/library/security/ms15-036>) \n[CVE-2015-1653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1653>) \n[CVE-2015-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1640>) \n\n\n### *Impacts*:\nCI \n\n### *Related products*:\n[Microsoft Sharepoint Server](<https://threats.kaspersky.com/en/product/Microsoft-Sharepoint-Server/>)\n\n### *CVE-IDS*:\n[CVE-2015-1653](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1653>) \n[CVE-2015-1640](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1640>)\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2965219](<http://support.microsoft.com/kb/2965219>) \n[2965302](<http://support.microsoft.com/kb/2965302>) \n[2965278](<http://support.microsoft.com/kb/2965278>)", "modified": "2019-02-15T00:00:00", "published": "2015-04-14T00:00:00", "id": "KLA10561", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10561", "title": "\r KLA10561Code injection vulnerability in Microsoft Sharepoint ", "type": "kaspersky", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:23:39", "bulletinFamily": "scanner", "description": "The remote Windows host has a version of Microsoft Office, Office Compatibility Pack, Microsoft Word Viewer, Microsoft Excel Viewer, SharePoint Server, or Microsoft Office Web Apps that is affected by multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist due to incorrectly handling objects and rich text format files in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file using the affected software, resulting in execution of arbitrary code in the context of the current user. (CVE-2015-0085, CVE-2015-0086, CVE-2015-0097)\n\n - Multiple cross-site scripting vulnerabilities exist due to improperly sanitized requests to affected SharePoint servers. An authenticated attacker, via a specially crafted request, can exploit these vulnerabilities to execute script code in the security context of the current user. (CVE-2015-1633, CVE-2015-1636)", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS15-022.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81757", "published": "2015-03-11T00:00:00", "title": "MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81757);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2015-0085\",\n \"CVE-2015-0086\",\n \"CVE-2015-0097\",\n \"CVE-2015-1633\",\n \"CVE-2015-1636\"\n );\n script_bugtraq_id(\n 72899,\n 72911,\n 72917,\n 72919,\n 72922\n );\n script_xref(name:\"MSFT\", value:\"MS15-022\");\n script_xref(name:\"MSKB\", value:\"2984939\");\n script_xref(name:\"MSKB\", value:\"2956103\");\n script_xref(name:\"MSKB\", value:\"2899580\");\n script_xref(name:\"MSKB\", value:\"2956109\");\n script_xref(name:\"MSKB\", value:\"2956076\");\n script_xref(name:\"MSKB\", value:\"2956138\");\n script_xref(name:\"MSKB\", value:\"2883100\");\n script_xref(name:\"MSKB\", value:\"2889839\");\n script_xref(name:\"MSKB\", value:\"2956142\");\n script_xref(name:\"MSKB\", value:\"2920812\");\n script_xref(name:\"MSKB\", value:\"2956139\");\n script_xref(name:\"MSKB\", value:\"2956151\");\n script_xref(name:\"MSKB\", value:\"2956163\");\n script_xref(name:\"MSKB\", value:\"2956188\");\n script_xref(name:\"MSKB\", value:\"2956189\");\n script_xref(name:\"MSKB\", value:\"2956107\");\n script_xref(name:\"MSKB\", value:\"2956106\");\n script_xref(name:\"MSKB\", value:\"2956136\");\n script_xref(name:\"MSKB\", value:\"2956143\");\n script_xref(name:\"MSKB\", value:\"2920731\");\n script_xref(name:\"MSKB\", value:\"2956069\");\n script_xref(name:\"MSKB\", value:\"2956158\");\n script_xref(name:\"MSKB\", value:\"2881068\");\n script_xref(name:\"MSKB\", value:\"2956208\");\n script_xref(name:\"MSKB\", value:\"2956175\");\n script_xref(name:\"MSKB\", value:\"2956183\");\n script_xref(name:\"MSKB\", value:\"2760508\");\n script_xref(name:\"MSKB\", value:\"2956180\");\n script_xref(name:\"MSKB\", value:\"2956153\");\n script_xref(name:\"MSKB\", value:\"2760554\");\n script_xref(name:\"MSKB\", value:\"2880473\");\n script_xref(name:\"MSKB\", value:\"2737989\");\n script_xref(name:\"MSKB\", value:\"2881078\");\n script_xref(name:\"MSKB\", value:\"2956181\");\n script_xref(name:\"MSKB\", value:\"2760361\");\n script_xref(name:\"IAVA\", value:\"2015-A-0052\");\n\n script_name(english:\"MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)\");\n script_summary(english:\"Checks the Office, SharePoint, and OWA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft Office, Office\nCompatibility Pack, Microsoft Word Viewer, Microsoft Excel Viewer,\nSharePoint Server, or Microsoft Office Web Apps that is affected by\nmultiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist due\n to incorrectly handling objects and rich text format\n files in memory. A remote attacker can exploit these\n vulnerabilities by convincing a user to open a specially\n crafted file using the affected software, resulting in\n execution of arbitrary code in the context of the\n current user. (CVE-2015-0085, CVE-2015-0086,\n CVE-2015-0097)\n\n - Multiple cross-site scripting vulnerabilities exist due\n to improperly sanitized requests to affected SharePoint\n servers. An authenticated attacker, via a specially\n crafted request, can exploit these vulnerabilities to\n execute script code in the security context of the\n current user. (CVE-2015-1633, CVE-2015-1636)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-022\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2007, 2010, 2013,\nOffice Compatibility Pack, Microsoft Word Viewer, Microsoft Excel\nViewer, SharePoint Server, and Office Web Apps.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:'\\\\1\\\\');\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nbulletin = 'MS15-022';\nkbs = make_list(\n 2984939, # Office 2007\n 2956103, # Excel 2007\n 2899580, # PowerPoint 2007\n 2956109, # Word 2007\n 2956076, # Office 2010\n 2956138, # Office 2010\n 2883100, # Office 2010\n 2889839, # Office 2010 (oart)\n 2956142, # Excel 2010\n 2920812, # PowerPoint 2010\n 2956139, # Word 2010\n 2956151, # Office 2013\n 2956163, # Word 2013\n 2956188, # Word Viewer\n 2956189, # Excel Viewer\n 2956107, # Office Compat Pack (wordconv)\n 2956106, # Office Compat Pack (xlconv)\n 2956136, # SharePoint 2010 Word Automation Services\n 2956143, # SharePoint 2013 Excel Services\n 2920731, # SharePoint 2013 Word Automation Services\n 2956069, # Office Web Apps 2010\n 2956158, # Office Web Apps 2013\n 2881068, # SharePoint Server 2007\n 2956208, # SharePoint Server 2010\n 2956175, # SharePoint Server 2013\n 2956183, # SharePoint Server 2013\n 2760508, # SharePoint Server 2013\n 2956180,\n 2956153,\n 2760554,\n 2880473,\n 2737989,\n 2881078,\n 2956181,\n 2760361\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get the path information for SharePoint Server 2007\nsps_2007_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\12.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Services 3.0\nsps_30_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\12.0\\Location\"\n);\n\n# Get path information for SharePoint Server 2010.\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Foundation 2010\nspf_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\14.0\\Location\"\n);\n\n# Get the path information for SharePoint Server 2013\nsps_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\15.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Foundation 2013\nspf_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWRAE\\Microsoft\\Shared Tools\\Web Server Extensions\\15.0\\Location\"\n);\n\nowa_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office15.WacServer\\InstallLocation\"\n);\n\n# Close connection to registry.\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n# Get path information for Office Web Apps.\nowa_2010_path = sps_2010_path;\n\n######################################################################\n# Office Web Apps 2010 SP1 / SP2\n######################################################################\nif (owa_2010_path)\n{\n check_vuln(\n name : \"Office Web Apps 2010\",\n kb : \"2956070\",\n path : owa_2010_path + \"WebServices\\ConversionService\\Bin\\Converter\\sword.dll\",\n fix : \"14.0.7145.5000\"\n );\n}\n\n######################################################################\n# Office Web Apps 2013 SP1 / SP2\n######################################################################\nif (owa_2013_path)\n{\n check_vuln(\n name : \"Office Web Apps 2013\",\n kb : \"2956158\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.Web.Apps.Environment.WacServer\\v4.0_15.0.0.0__71e9bce111e9429c\\Microsoft.Office.Web.Apps.Environment.WacServer.dll\",\n fix : \"15.0.4693.1000\"\n );\n}\n######################################################################\n# SharePoint Server 2007 SP3\n######################################################################\nif (sps_2007_path && sps_30_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2007\",\n kb : \"2881068\",\n path : sps_30_path + \"\\BIN\\offparser.dll\",\n fix : \"12.0.6717.5000\"\n );\n}\n\n######################################################################\n# SharePoint Server 2010 SP2\n######################################################################\nif (sps_2010_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2010\",\n kb : \"2956136\",\n path : sps_2010_path + \"WebServices\\WordServer\\Core\\sword.dll\",\n fix : \"14.0.7145.5000\"\n );\n}\n\n######################################################################\n# SharePoint Foundation 2010\n######################################################################\nif (spf_2010_path)\n{\n path = spf_2010_path + \"Bin\\Onetutil.dll\";\n ver = get_ver(path);\n\n if (ver && ver =~ \"^14\\.\")\n {\n check_vuln(\n name : \"SharePoint Foundation 2010\",\n kb : \"2956208\",\n path : path,\n ver : ver,\n fix : \"14.0.7145.5000\"\n );\n }\n}\n\n######################################################################\n# SharePoint Server 2013 SP2\n######################################################################\nif (sps_2013_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2013 Excel Services\",\n kb : \"2956143\",\n path : sps_2013_path + \"Bin\\xlsrv.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 Word Automation Services\",\n kb : \"2920731\",\n path : sps_2013_path + \"WebServices\\ConversionServices\\sword.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (arcsrvloc)\",\n kb : \"2956180\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.Access.Server\\v4.0.15.0.0.0__71e9bce111e9429c\\Microsoft.Office.Access.Server.dll\",\n fix : \"15.0.4525.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (coreserverloc)\",\n kb : \"2956153\",\n path : sps_2013_path + \"Bin\\MSSCPI.DLL\",\n fix : \"15.0.4681.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (eduloc)\",\n kb : \"2760554\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.SharePoint.Client.UserProfiles\\v4.0.15.0.0.0__71e9bce111e9429c\\Microsoft.SharePoint.Client.UserProfiles.dll\",\n fix : \"15.0.4567.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (ifsloc)\",\n kb : \"2880473\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.InfoPath.Server\\v4.0.15.0.0.0__71e9bce111e9429c\\Microsoft.Office.InfoPath.Server.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (lpsrvloc)\",\n kb : \"2737989\",\n path : sps_2013_path + \"WebServices\\ConversionServices\\oartserver.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (ppsmaloc)\",\n kb : \"2881078\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.PerformancePoint.Scorecards.Server\\v4.0.15.0.0.0__71e9bce111e9429c\\Microsoft.PerformancePoint.Scorecards.Server.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (vsrvloc)\",\n kb : \"2956181\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.Viso.Server\\v4.0.15.0.0.0__71e9bce111e9429c\\Microsoft.Office.Visio.Server.dll\",\n fix : \"15.0.4659.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (wasrvloc)\",\n kb : \"2760361\",\n path : sps_2013_path + \"WebServices\\ConversionServices\\msores.dll\",\n fix : \"15.0.4697.1000\"\n );\n}\n\n######################################################################\n# SharePoint Foundation 2013\n######################################################################\nif (spf_2013_path)\n{\n check_vuln(\n name : \"SharePoint Foundation 2013\",\n kb : \"2956175\",\n path : spf_2013_path + \"Bin\\CsiSrv.dll\",\n fix : \"15.0.4699.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Foundation 2013 (wssloc)\",\n kb : \"2956183\",\n path : spf_2013_path + \"wsssetup.dll\",\n fix : \"15.0.4701.1000\"\n );\n\n if (sps_2013_path)\n {\n check_vuln(\n name : \"SharePoint Foundation 2013 (smsloc)\",\n kb : \"2760508\",\n path : sps_2013_path + \"\\WebServices\\ConversionServices\\IGXServer.DLL\",\n fix : \"15.0.4699.1000\"\n );\n }\n}\n\n\n# Excel\nkb = \"\";\ninstalls = get_kb_list(\"SMB/Office/Excel/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/Excel/' - '/ProductPath';\n path = installs[install];\n info = \"\";\n\n # Excel 2010\n if (version =~ \"^14\\.\" && ver_compare(ver:version, fix:'14.0.7145.5001') < 0)\n {\n office_sp = get_kb_item('SMB/Office/2010/SP');\n if (!isnull(office_sp) && office_sp == 2)\n {\n info =\n '\\n Product : Excel 2010' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7145.5001\\n';\n kb = '2956142';\n }\n }\n\n # Excel 2007\n if (version =~ \"^12\\.\" && ver_compare(ver:version, fix:'12.0.6718.5000') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && (office_sp == 3))\n {\n info =\n '\\n Product : Excel 2007' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6718.5000\\n';\n kb = '2956103';\n }\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n# PowerPoint\nkb = \"\";\ninstalls = get_kb_list(\"SMB/Office/PowerPoint/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';\n path = installs[install];\n info = \"\";\n\n # PowerPoint 2010 SP2\n if (version =~ \"^14\\.\" && ver_compare(ver:version, fix:'14.0.7145.5001') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && (office_sp == 2))\n {\n info =\n '\\n Product : PowerPoint 2010' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7145.5001' + '\\n';\n kb = \"2920812\";\n }\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n# Word\nkb = \"\";\ninstalls = get_kb_list(\"SMB/Office/Word/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/Word/' - '/ProductPath';\n path = installs[install];\n info = \"\";\n\n # Word 2013\n if (version =~ \"^15\\.\" && ver_compare(ver:version, fix:'15.0.4701.1001') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && (office_sp <= 1))\n {\n info =\n '\\n Product : Word 2013' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 15.0.4701.1001' + '\\n';\n kb = \"2956163\";\n }\n }\n\n # Word 2010 SP2\n if (version =~ \"^14\\.\" && ver_compare(ver:version, fix:'14.0.7145.5001') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && (office_sp == 2))\n {\n info =\n '\\n Product : Word 2010' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7145.5001' + '\\n';\n kb = \"2956139\";\n }\n }\n\n # Word 2007 SP3\n if (version =~ \"^12\\.\" && ver_compare(ver:version, fix:'12.0.6718.5000') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n info =\n '\\n Product : Word 2007 SP3' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6718.5000' + '\\n';\n kb = \"2956109\";\n }\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n# Word Viewer\ninstalls = get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n info = \"\";\n version = install - 'SMB/Office/WordViewer/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) path = \"n/a\";\n\n if (ver_compare(ver:version, fix:'11.0.8416.0') < 0)\n {\n info =\n '\\n Product : Word Viewer' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 11.0.8416.0' + '\\n';\n kb = \"2956188\";\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n break;\n }\n }\n}\n\n# Excel Viewer\ninstalls = get_kb_list(\"SMB/Office/ExcelViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n info = \"\";\n version = install - 'SMB/Office/ExcelViewer/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) path = \"n/a\";\n\n if (ver_compare(ver:version, fix:'12.0.6717.5000') < 0)\n {\n info =\n '\\n Product : Excel Viewer' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6717.5000' + '\\n';\n kb = \"2956189\";\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n break;\n }\n }\n}\n\n# Ensure Office is installed\noffice_vers = hotfix_check_office_version();\nif (!isnull(office_vers))\n{\n # Ensure we can get common files directory\n commonfiles = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n if (commonfiles)\n {\n # Ensure share is accessible\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:commonfiles);\n if (is_accessible_share(share:share))\n {\n # Office 2013\n if (office_vers[\"15.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && office_sp <= 1)\n {\n path = commonfiles + \"\\Microsoft Shared\\Office15\";\n old_report = hotfix_get_report();\n check_file = \"Mso.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"15.0.4701.1000\", min_version:\"15.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2013' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 15.0.4701.1000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2956151\");\n vuln = TRUE;\n }\n }\n }\n # Office 2010\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n\n path = commonfiles + \"\\Microsoft Shared\\Office14\";\n old_report = hotfix_get_report();\n check_file = \"Mso.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7145.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7145.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2956076\");\n vuln = TRUE;\n }\n\n old_report = hotfix_get_report();\n check_file = \"Oart.dll\";\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7134.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7134.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2883100\");\n vuln = TRUE;\n }\n\n old_report = hotfix_get_report();\n check_file = \"Oartconv.dll\";\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7134.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7134.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2889839\");\n vuln = TRUE;\n }\n\n path = get_kb_item(\"SMB/Office/Word/14.0/Path\");\n if (!path) path = get_kb_item(\"SMB/Office/Excel/14.0/Path\");\n if (!path) path = get_kb_item(\"SMB/Office/PowerPoint/14.0/Path\");\n if (path)\n {\n old_report = hotfix_get_report();\n check_file = \"Wwlib.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7145.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7145.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2956138\");\n vuln = TRUE;\n }\n }\n }\n }\n\n # Office 2007 SP3\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n path = commonfiles + \"\\Microsoft Shared\\Office12\";\n old_report = hotfix_get_report();\n check_file = \"Mso.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6718.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\" + tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2007 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6718.5000\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2984939\");\n vuln = TRUE;\n }\n\n path = get_kb_item(\"SMB/Office/PowerPoint/14.0/Path\");\n if (!empty_or_null(path))\n {\n old_report = hotfix_get_report();\n check_file = \"ppcore.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6718.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\" + tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft PowerPoint 2007 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6718.5000\\n';\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2899580\");\n vuln = TRUE;\n }\n }\n }\n }\n }\n }\n}\n\nversion = '';\ninstalls = get_kb_list(\"SMB/Office/WordCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/WordCnv/' - '/ProductPath';\n path = installs[install];\n\n if (!isnull(path))\n {\n share = hotfix_path2share(path:path);\n if (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\n path = path - '\\\\Wordconv.exe';\n\n old_report = hotfix_get_report();\n check_file = \"wordcnv.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6717.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = ereg_replace(pattern:\"//\"+check_file, replace:\"/\"+check_file, string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6717.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2956107\");\n vuln = TRUE;\n }\n }\n }\n}\n\nversion = '';\ninstalls = get_kb_list(\"SMB/Office/ExcelCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/ExcelCnv/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) path = \"n/a\";\n\n if (ver_compare(ver:version, fix:'12.0.6717.5000') < 0)\n {\n info =\n '\\n Product : 2007 Office system and the Office Compatibility Pack' +\n '\\n File : '+ path +\n '\\n Installed version : '+ version +\n '\\n Fixed version : 12.0.6717.5000' +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:\"2956106\");\n vuln = TRUE;\n }\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:59", "bulletinFamily": "scanner", "description": "The remote Windows host has a version of Microsoft Office, Office Compatibility Pack, Microsoft Word, Microsoft Word Viewer, SharePoint Server, or Microsoft Office Web Apps installed that is affected by multiple remote code execution vulnerabilities :\n\n - A remote code execution vulnerability exists due to improper handling rich text format files in memory. A remote attacker can exploit this vulnerability by convincing a user to open a specially crafted file using the affected software, resulting in execution of arbitrary code in the context of the current user.\n (CVE-2015-1641)\n\n - Multiple use-after-free errors exist due to improper parsing specially crafted Office files. A remote attacker can exploit these errors by convincing a user to open a specially crafted file using the affected software, resulting in execution of arbitrary code in the context of the current user. (CVE-2015-1649, CVE-2015-1650, CVE-2015-1651)", "modified": "2018-07-30T00:00:00", "id": "SMB_NT_MS15-033.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82769", "published": "2015-04-14T00:00:00", "title": "MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82769);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/30 15:31:33\");\n\n script_cve_id(\n \"CVE-2015-1641\",\n \"CVE-2015-1649\",\n \"CVE-2015-1650\",\n \"CVE-2015-1651\"\n );\n script_bugtraq_id(73991, 74007, 74011, 74012);\n script_xref(name:\"MSFT\", value:\"MS15-033\");\n script_xref(name:\"MSKB\", value:\"2965284\");\n script_xref(name:\"MSKB\", value:\"2965236\");\n script_xref(name:\"MSKB\", value:\"2553428\");\n script_xref(name:\"MSKB\", value:\"2965289\");\n script_xref(name:\"MSKB\", value:\"2965210\");\n script_xref(name:\"MSKB\", value:\"2553164\");\n script_xref(name:\"MSKB\", value:\"2965238\");\n script_xref(name:\"MSKB\", value:\"2965224\");\n script_xref(name:\"MSKB\", value:\"2965215\");\n script_xref(name:\"MSKB\", value:\"2965306\");\n script_xref(name:\"IAVA\", value:\"2015-A-0090\");\n\n script_name(english:\"MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)\");\n script_summary(english:\"Checks the Office, SharePoint, and OWA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple remote code execution\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft Office, Office\nCompatibility Pack, Microsoft Word, Microsoft Word Viewer, SharePoint\nServer, or Microsoft Office Web Apps installed that is affected by\nmultiple remote code execution vulnerabilities :\n\n - A remote code execution vulnerability exists due to\n improper handling rich text format files in memory. A\n remote attacker can exploit this vulnerability by\n convincing a user to open a specially crafted file using\n the affected software, resulting in execution of\n arbitrary code in the context of the current user.\n (CVE-2015-1641)\n\n - Multiple use-after-free errors exist due to improper\n parsing specially crafted Office files. A remote\n attacker can exploit these errors by convincing a user\n to open a specially crafted file using the affected\n software, resulting in execution of arbitrary code in\n the context of the current user. (CVE-2015-1649,\n CVE-2015-1650, CVE-2015-1651)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2010, Word 2007,\n2010, 2013, Office Compatibility Pack, Microsoft Word Viewer,\nSharePoint Server, and Office Web Apps.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:'\\\\1\\\\');\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nbulletin = 'MS15-033';\nkbs = make_list(\n 2965284, # Word 2007\n 2965236, # Office 2010\n 2553428, # Word 2010\n 2965289, # Word Viewer\n 2965210, # Office Compat Pack\n 2553164, # SharePoint 2010 Word Automation Services\n 2965238, # Office Web Apps 2010\n 2965224, # Word 2013\n 2965215, # SharePoint 2013 Word Automation Services\n 2965306 # Office Web Apps 2013\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get path information for SharePoint Server 2010.\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Server 2013\nsps_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\15.0\\InstallPath\"\n);\n\nowa_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office15.WacServer\\InstallLocation\"\n);\n\n# Close connection to registry.\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n# Get path information for Office Web Apps.\nowa_2010_path = sps_2010_path;\n\n######################################################################\n# Office Web Apps 2010 SP1 / SP2\n######################################################################\nif (owa_2010_path)\n{\n check_vuln(\n name : \"Office Web Apps 2010\",\n kb : \"2965238\",\n path : owa_2010_path + \"WebServices\\ConversionService\\Bin\\Converter\\sword.dll\",\n fix : \"14.0.7147.5000\"\n );\n}\n\n######################################################################\n# Office Web Apps 2013 SP1 / SP2\n######################################################################\nif (owa_2013_path)\n{\n check_vuln(\n name : \"Office Web Apps 2013\",\n kb : \"2965306\",\n path : owa_2013_path + \"\\WordConversionService\\Bin\\Converter\\sword.dll\",\n fix : \"15.0.4711.1001\"\n );\n}\n\n######################################################################\n# SharePoint Server 2010 SP2\n######################################################################\nif (sps_2010_path)\n{\n check_vuln(\n name : \"Office SharePoint Server 2010\",\n kb : \"2553164\",\n path : sps_2010_path + \"WebServices\\WordServer\\Core\\sword.dll\",\n fix : \"14.0.7147.5000\"\n );\n}\n\n######################################################################\n# SharePoint Server 2013 SP2\n######################################################################\nif (sps_2013_path)\n{\n check_vuln(\n name : \"SharePoint Server 2013 Word Automation Services\",\n kb : \"2965215\",\n path : sps_2013_path + \"WebServices\\ConversionServices\\sword.dll\",\n fix : \"15.0.4711.1000\"\n );\n}\n\n# Word\nkb = \"\";\ninstalls = get_kb_list(\"SMB/Office/Word/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/Word/' - '/ProductPath';\n path = installs[install];\n info = \"\";\n\n # Word 2013\n if (version =~ \"^15\\.\" && ver_compare(ver:version, fix:'15.0.4711.1001') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && (office_sp <= 1))\n {\n info =\n '\\n Product : Word 2013' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 15.0.4711.1001' + '\\n';\n kb = \"2965224\";\n }\n }\n\n # Word 2010 SP2\n if (version =~ \"^14\\.\" && ver_compare(ver:version, fix:'14.0.7147.5000') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && (office_sp == 2))\n {\n info =\n '\\n Product : Word 2010' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7147.5000' + '\\n';\n kb = \"2553428\";\n }\n }\n\n # Word 2007 SP3\n if (version =~ \"^12\\.\" && ver_compare(ver:version, fix:'12.0.6720.5000') < 0)\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n info =\n '\\n Product : Word 2007 SP3' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6720.5000' + '\\n';\n kb = \"2965284\";\n }\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n }\n }\n}\n\n# Word Viewer\ninstalls = get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n info = \"\";\n version = install - 'SMB/Office/WordViewer/' - '/ProductPath';\n path = installs[install];\n if (isnull(path)) path = \"n/a\";\n\n if (ver_compare(ver:version, fix:'11.0.8417.0') < 0)\n {\n info =\n '\\n Product : Word Viewer' +\n '\\n File : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 11.0.8417.0' + '\\n';\n kb = \"2965289\";\n }\n\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n vuln = TRUE;\n break;\n }\n }\n}\n\n# Ensure Office is installed\noffice_vers = hotfix_check_office_version();\nif (!isnull(office_vers))\n{\n # Ensure we can get common files directory\n commonfiles = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n if (commonfiles)\n {\n # Ensure share is accessible\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:commonfiles);\n if (is_accessible_share(share:share))\n {\n # Office 2010\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n path = get_kb_item(\"SMB/Office/Word/14.0/Path\");\n if (!path) path = get_kb_item(\"SMB/Office/Excel/14.0/Path\");\n if (!path) path = get_kb_item(\"SMB/Office/PowerPoint/14.0/Path\");\n if (path)\n {\n old_report = hotfix_get_report();\n check_file = \"Wwlib.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"14.0.7147.5000\", min_version:\"14.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = str_replace(find:\"//\", replace:\"/\", string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2010' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 14.0.7147.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2965236\");\n vuln = TRUE;\n }\n }\n }\n }\n\n # Office 2007 SP3\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n path = commonfiles + \"\\Microsoft Shared\\Office12\";\n old_report = hotfix_get_report();\n check_file = \"Winword.exe\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6720.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\" + tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office 2007 SP3' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6720.5000\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2965284\");\n vuln = TRUE;\n }\n }\n }\n }\n }\n}\n\nversion = '';\ninstalls = get_kb_list(\"SMB/Office/WordCnv/*/ProductPath\");\nif (!isnull(installs))\n{\n foreach install (keys(installs))\n {\n version = install - 'SMB/Office/WordCnv/' - '/ProductPath';\n path = installs[install];\n\n if (!isnull(path))\n {\n share = hotfix_path2share(path:path);\n if (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\n path = path - '\\\\Wordconv.exe';\n\n old_report = hotfix_get_report();\n check_file = \"wordcnv.dll\";\n\n if (hotfix_check_fversion(path:path, file:check_file, version:\"12.0.6720.5000\", min_version:\"12.0.0.0\") == HCF_OLDER)\n {\n file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", string:path, replace:\"\\1\\\" + check_file);\n kb_name = \"SMB/FileVersions/\"+tolower(share-'$')+tolower(str_replace(string:file, find:\"\\\", replace:\"/\"));\n kb_name = ereg_replace(pattern:\"//\"+check_file, replace:\"/\"+check_file, string:kb_name);\n version = get_kb_item(kb_name);\n\n info =\n '\\n Product : Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats' +\n '\\n File : ' + path + '\\\\' + check_file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 12.0.6720.5000' + '\\n';\n\n hcf_report = '';\n hotfix_add_report(old_report + info, bulletin:bulletin, kb:\"2965210\");\n vuln = TRUE;\n }\n }\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:59", "bulletinFamily": "scanner", "description": "The remote Mac OS X host has a version of Microsoft Word installed that is affected by multiple vulnerabilities :\n\n - A cross-site scripting vulnerability exists due to improper sanitization of HTML strings. A remote attacker can exploit this issue by convincing a user to open a file or visit a website containing specially crafted content, resulting in execution of arbitrary code in the context of the current user. (CVE-2015-1639)\n\n - A remote code execution vulnerability exists due to improper handling rich text format files in memory. A remote attacker can exploit this vulnerability by convincing a user to open a specially crafted file using the affected software, resulting in execution of arbitrary code in the context of the current user.\n (CVE-2015-1641)", "modified": "2018-08-10T00:00:00", "id": "MACOSX_MS15-033_OFFICE_2011.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82767", "published": "2015-04-14T00:00:00", "title": "MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)", "type": "nessus", "sourceData": "#TRUSTED 853a0482a08aad000653ee4f0d45f902afb03208780d78435eae77c95351a768dbbfcb22b68f8ffb0a25f06318b85bae3c0f47122e78d70934a2d599dd2fcaf712bee9e7685f82cd52af236ed6a7f94d3cb054a543158420fbe47e9f850229cc5ff7d7b5e934427349f5920f1ff956c8822f66c85f6a703a57437e303020723d2ab87942bcbd0475fc587dc2820931409b32c2a289dfb1aa4a7a9288359fb0618c5d51e42bd9657dc64cd4462bf8a2fd7441c893ce6ae342aaf7a0d7f60c447294c8bb4bb3dda591d1552977b73a749a39b83fb52984c9111f64b5ea2615df59e723ac2f727d879ad9e1c83db494b0572ad8d30caba4cb0c12013ed3473dcc76dc6c2266ab6859226977e9cf50d5ff34b87d11dbd78c6196e2cf5f021c22ecdcd20412fcf52f8a566df94b5784d364200febb7d8849f6dceeca83534f80862866415adba93930c2f90ae7b3e6262dd7e057ebd87ca2f6b239c977007a7fef9b71aa11b654a312745c36ec1533a803f2ab51c6c9417c57b8e6c8e11fb33d432cc11ed957d2c22f7249d6c74ff2d4323e753db30328f537d4d4cbf732214eb30926096cd0b98a7c46fd82dcb82281430d6aadb9fdeed753981c9dc709f3fe4489e71c66ad4e2c94484ea25a56a4426abed219c1f729e7ac719b838293d109f9df448559592c05e7004dbf05c6eede709fe0724c3d5bb664c2abb877c25b83a5dd1\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82767);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/10\");\n\n script_cve_id(\"CVE-2015-1639\", \"CVE-2015-1641\");\n script_bugtraq_id(73991, 73995);\n script_xref(name:\"MSFT\", value:\"MS15-033\");\n script_xref(name:\"IAVA\", value:\"2015-A-0090\");\n script_xref(name:\"MSKB\", value:\"3051737\");\n\n script_name(english:\"MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)\");\n script_summary(english:\"Checks the version of Microsoft Office.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Microsoft Word installed\nthat is affected by multiple vulnerabilities :\n\n - A cross-site scripting vulnerability exists due to\n improper sanitization of HTML strings. A remote attacker\n can exploit this issue by convincing a user to open a\n file or visit a website containing specially crafted\n content, resulting in execution of arbitrary code in the\n context of the current user. (CVE-2015-1639)\n\n - A remote code execution vulnerability exists due to\n improper handling rich text format files in memory. A\n remote attacker can exploit this vulnerability by\n convincing a user to open a specially crafted file using\n the affected software, resulting in execution of\n arbitrary code in the context of the current user.\n (CVE-2015-1641)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a patch for Office for Mac 2011.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_for_mac:2011\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:microsoft:outlook_for_mac_for_office_365\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec_cmd(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.4.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n# Report findings.\nif (info)\n{\n set_kb_item(name:\"www/0/XSS\", value:TRUE);\n if (report_verbosity > 0) security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac 2011 is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:59", "bulletinFamily": "scanner", "description": "The remote Windows host has a version of Microsoft SharePoint Server installed that is affected by multiple cross-site scripting vulnerabilities due to improper sanitization of specially crafted requests. An authenticated attacker can exploit these vulnerabilities to access unauthorized content and execute arbitrary script code in the context of the current user.", "modified": "2019-01-10T00:00:00", "id": "SMB_NT_MS15-036.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82773", "published": "2015-04-14T00:00:00", "title": "MS15-036: Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82773);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/01/10 15:44:14\");\n\n script_cve_id(\"CVE-2015-1640\", \"CVE-2015-1653\");\n script_bugtraq_id(73992, 73999);\n script_xref(name:\"MSFT\", value:\"MS15-036\");\n script_xref(name:\"MSKB\", value:\"2965219\");\n script_xref(name:\"MSKB\", value:\"2965278\");\n script_xref(name:\"MSKB\", value:\"2965302\");\n\n script_name(english:\"MS15-036: Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)\");\n script_summary(english:\"Checks the SharePoint version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple cross-site scripting\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft SharePoint Server\ninstalled that is affected by multiple cross-site scripting\nvulnerabilities due to improper sanitization of specially crafted\nrequests. An authenticated attacker can exploit these vulnerabilities\nto access unauthorized content and execute arbitrary script code in\nthe context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-036\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for SharePoint Server 2010 and\n2013.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2015/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nglobal_var bulletin, vuln;\n\nfunction get_ver()\n{\n local_var fh, path, rc, share, ver;\n\n path = _FCT_ANON_ARGS[0];\n\n share = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n\n rc = NetUseAdd(share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n ver = NULL;\n path = ereg_replace(string:path, pattern:\"^[A-Za-z]:(.*)\", replace:'\\\\1\\\\');\n\n fh = CreateFile(\n file : path,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n );\n if (!isnull(fh))\n {\n ver = GetFileVersion(handle:fh);\n ver = join(ver, sep:\".\");\n CloseFile(handle:fh);\n }\n\n NetUseDel(close:FALSE);\n\n return ver;\n}\n\nfunction check_vuln(fix, kb, name, path, ver)\n{\n local_var info;\n\n if (isnull(ver))\n ver = get_ver(path);\n\n if (isnull(ver) || ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n return 0;\n\n info =\n '\\n Product : ' + name +\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n\n vuln = TRUE;\n}\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nbulletin = 'MS15-036';\nkbs = make_list(\n \"2965219\",\n \"2965278\",\n \"2965302\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Connect to the registry.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Get path information for SharePoint Server 2010.\nsps_2010_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\14.0\\InstallPath\"\n);\n\n# Get the path information for SharePoint Server 2013\nsps_2013_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Office Server\\15.0\\InstallPath\"\n);\n\n# Close connection to registry.\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\nif (sps_2010_path)\n{\n check_vuln(\n name : \"Microsoft Project Server 2010\",\n kb : \"2965302\",\n path : sps_2010_path + \"\\bin\\Microsoft.Office.Project.Server.Library.dll\",\n fix : \"14.0.7141.5000\"\n );\n}\n\nif (sps_2013_path)\n{\n check_vuln(\n name : \"Microsoft Project Server 2013\",\n kb : \"2965278\",\n path : sps_2013_path + \"\\bin\\Microsoft.Office.Project.Server.Library.dll\",\n fix : \"15.0.4697.1000\"\n );\n\n check_vuln(\n name : \"SharePoint Server 2013 (coreserverloc)\",\n kb : \"2965219\",\n path : windir + \"\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.SharePoint.Publishing\\v4.0_15.0.0.0__71e9bce111e9429c\\Microsoft.SharePoint.Publishing.dll\",\n fix : \"15.0.4711.1000\"\n );\n}\n\nif (vuln)\n{\n set_kb_item(name:'www/0/XSS', value:TRUE);\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:23:59", "bulletinFamily": "scanner", "description": "The remote Mac OS X host has a version of Microsoft Outlook for Mac for Office 365 installed that is affected by a cross-site scripting vulnerability due to improper sanitization of HTML strings.\nA remote attacker can exploit this issue by convincing a user to open a file or visit a website containing specially crafted content, resulting in execution of arbitrary code in the context of the current user.", "modified": "2018-08-10T00:00:00", "id": "MACOSX_MS15-033_OUTLOOK_FOR_OFFICE365.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82768", "published": "2015-04-14T00:00:00", "title": "MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)", "type": "nessus", "sourceData": "#TRUSTED 3e29ec97e9bd816cac0acdb858c3d921b38e0b6772757fcba398ab6333abed128021612537bbedf10752221d23d730f59be7337a6b99532fbb7cfc6b0b792809c93db5440eb30e10775d32b3cc97bba20bf33ae93e6b46b812c7226629e99bfb23c4ac4e598e74f06e498983dac66721710f0f6e67bb7248565cbb3c5bad2cc2707881f64560458e6497dccda13090160cb9eccd56cc7c6046e3a018c6931e78ade1221a949f951e0f4026dfe74dce2e288781bb6290109b7d93169bb94cc3f8b2845e4a9ed0fcabf1ecdc9fc46bf0d436124ee445dabce9acd66eea1108d011311087bc17071d1b8495d158e4d7012227a2f93d796ed3c7284fe52ccb1055f3366593e03f2644a72bc77c133139306c5bc3379520edf209f9962a0d7b07d472acbb968bc9a68c4d49321e8a0cf491195824e39deff217f06d9b89b867878d508393c120987a29be85705db44a772f7148de9f13fd8eb415538acf1a1c821112e5c1a334ce5167e96c44ba07871f937ceeaca4d115f864dcc3c0326308ed2648cc0a48a748c6a4baed680fc246158c17b1e41d2629150b92c2281ae67c0785249ec8446a52f81789c5e335ac7fb3a07e5568d714441b62d0771954cc7c1abcd82f9a7b1735e86b02000c0bf19506abe2f0e953938937ac31624916d520e9a85acebb2ad01600ec71c65d39deb43def04dde5cfc7db40121ee51bebff52fc1105\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82768);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/10\");\n\n script_cve_id(\"CVE-2015-1639\");\n script_bugtraq_id(73991);\n script_xref(name:\"MSFT\", value:\"MS15-033\");\n script_xref(name:\"IAVA\", value:\"2015-A-0090\");\n script_xref(name:\"MSKB\", value:\"3055707\");\n\n script_name(english:\"MS15-033: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)\");\n script_summary(english:\"Checks the version of Microsoft Office.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Microsoft Outlook\nfor Mac for Office 365 installed that is affected by a cross-site\nscripting vulnerability due to improper sanitization of HTML strings.\nA remote attacker can exploit this issue by convincing a user to open\na file or visit a website containing specially crafted content,\nresulting in execution of arbitrary code in the context of the current\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a patch for Outlook for Mac for Office 365.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:microsoft:outlook_for_mac_for_office_365\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011:mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Outlook for Mac for Office 365';\nplist = '/Applications/Microsoft Outlook.app/Contents/Info.plist';\ncmd = 'plutil -convert xml1 -o - \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec_cmd(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^15\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '15.9';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n# Report findings.\nif (info)\n{\n set_kb_item(name:\"www/0/XSS\", value:TRUE);\n if (report_verbosity > 0) security_warning(port:0, extra:info);\n else security_warning(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) audit(AUDIT_NOT_INST, prod);\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-10-22T16:39:44", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.", "modified": "2018-10-12T00:00:00", "published": "2015-04-15T00:00:00", "id": "OPENVAS:1361412562310805063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805063", "title": "Microsoft Office Compatibility Pack Remote Code Execution Vulnerabilities (3048019)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_and_compat_pack_ms15-033.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Compatibility Pack Remote Code Execution Vulnerabilities (3048019)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805063\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-1641\", \"CVE-2015-1650\", \"CVE-2015-1649\", \"CVE-2015-1651\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 11:22:19 +0530 (Wed, 15 Apr 2015)\");\n script_name(\"Microsoft Office Compatibility Pack Remote Code Execution Vulnerabilities (3048019)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office Compatibility Pack Service Pack 3\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965210\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordCnv/Version\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-033\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nwordcnvVer = get_kb_item(\"SMB/Office/WordCnv/Version\");\nif(wordcnvVer && wordcnvVer =~ \"^12.*\")\n{\n # Office Word Converter\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\n if(path)\n {\n sysVer = fetch_file_version(sysPath:path + \"\\Microsoft Office\\Office12\", file_name:\"Wordcnv.dll\");\n if(sysVer)\n {\n if(version_in_range(version:sysVer, test_version:\"12.0\", test_version2:\"12.0.6720.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:09", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.", "modified": "2018-10-12T00:00:00", "published": "2015-04-15T00:00:00", "id": "OPENVAS:1361412562310805062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805062", "title": "Microsoft Office Word Remote Code Execution Vulnerabilities (3048019)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_winword_ms15-033.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Word Remote Code Execution Vulnerabilities (3048019)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805062\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-1641\", \"CVE-2015-1650\", \"CVE-2015-1649\", \"CVE-2015-1651\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 11:11:20 +0530 (Wed, 15 Apr 2015)\");\n script_name(\"Microsoft Office Word Remote Code Execution Vulnerabilities (3048019)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2010,\n Microsoft Word 2013 and\n Microsoft Word 2007 Service Pack 3 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965284\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965224\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2553428\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-033\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n ## 15 < 15.0.4711.1001\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6720.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7147.4999\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4711.1000\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.", "modified": "2018-10-12T00:00:00", "published": "2015-04-15T00:00:00", "id": "OPENVAS:1361412562310805061", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805061", "title": "Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3048019)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_viewer_ms15-033.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3048019)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805061\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-1650\", \"CVE-2015-1649\", \"CVE-2015-1651\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 11:05:27 +0530 (Wed, 15 Apr 2015)\");\n script_name(\"Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3048019)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists as,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word Viewer 2007 Service Pack 3 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965289\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-033\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-033\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwordviewVer = get_kb_item(\"SMB/Office/WordView/Version\");\nif(wordviewVer)\n{\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8416\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-26T14:18:21", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.", "modified": "2018-09-26T00:00:00", "published": "2015-04-15T00:00:00", "id": "OPENVAS:1361412562310805166", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805166", "title": "Microsoft SharePoint Server WAS Multiple Vulnerabilities (3048019)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_sharepoint_server_was_ms15-033.nasl 11612 2018-09-26 05:47:26Z cfischer $\n#\n# Microsoft SharePoint Server WAS Multiple Vulnerabilities (3048019)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:sharepoint_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805166\");\n script_version(\"$Revision: 11612 $\");\n script_cve_id(\"CVE-2015-1641\", \"CVE-2015-1649\", \"CVE-2015-1650\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-26 07:47:26 +0200 (Wed, 26 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 14:39:30 +0530 (Wed, 15 Apr 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft SharePoint Server WAS Multiple Vulnerabilities (3048019)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-033.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaws are due to improper handling of\n memory objects while parsing specially crafted Office files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to corrupt system memory in such a way as to allow an attacker to\n execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft SharePoint Server 2010\n\n Service Pack 2 Word Automation Services and\n\n Microsoft SharePoint Server 2013 Service Pack 1 Word Automation Services\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the given link, https://technet.microsoft.com/library/security/MS15-033\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965238\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965306\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-033\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nshareVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\n## SharePoint Server 2010\nif(shareVer =~ \"^14\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\WordServer\\Core\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"14.0\", test_version2:\"14.0.7147.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n## SharePoint Server 2013\nif(shareVer =~ \"^15\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\15.0\\WebServices\\ConversionServices\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"15.0\", test_version2:\"15.0.4711.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-26T14:20:00", "bulletinFamily": "scanner", "description": "This host is missing an critical security\n update according to Microsoft Bulletin MS15-033.", "modified": "2018-09-26T00:00:00", "published": "2015-04-15T00:00:00", "id": "OPENVAS:1361412562310805165", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805165", "title": "Microsoft Office Web Apps Multiple Vulnerabilities (3048019)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_web_apps_ms15-033.nasl 11612 2018-09-26 05:47:26Z cfischer $\n#\n# Microsoft Office Web Apps Multiple Vulnerabilities (3048019)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:office_web_apps\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805165\");\n script_version(\"$Revision: 11612 $\");\n script_cve_id(\"CVE-2015-1641\", \"CVE-2015-1649\", \"CVE-2015-1650\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-26 07:47:26 +0200 (Wed, 26 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-15 14:18:05 +0530 (Wed, 15 Apr 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Web Apps Multiple Vulnerabilities (3048019)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an critical security\n update according to Microsoft Bulletin MS15-033.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of memory\n objects while parsing specially crafted Office files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to corrupt system memory in such a way as to allow an attacker to\n execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office Web Apps Server 2013\n Service Pack 1 and Microsoft Office Web Apps Server 2010 Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the given link, https://technet.microsoft.com/library/security/MS15-033\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965238\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965306\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-033\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_office_web_apps_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Web/Apps/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nwebappVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\nif(webappVer =~ \"^14\\..*\")\n{\n ## Microsoft Office Web Apps 2010\n dllVer = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\ConversionService\\Bin\\Converter\\sword.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7147.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n## Microsoft Office Web Apps 2013\nif(webappVer =~ \"^15\\..*\")\n{\n path = path + \"\\PPTConversionService\\bin\\Converter\\\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"msoserver.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4711.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:46", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.", "modified": "2018-10-12T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805058", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805058", "title": "Microsoft Office Excel Remote Code Execution Vulnerabilities (3038999)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_excel_ms15-022.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Excel Remote Code Execution Vulnerabilities (3038999)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805058\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0085\", \"CVE-2015-0086\", \"CVE-2015-0097\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 13:51:56 +0530 (Wed, 11 Mar 2015)\");\n script_name(\"Microsoft Office Excel Remote Code Execution Vulnerabilities (3038999)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Excel 2007 Service Pack 3 and prior\n Microsoft Excel 2010 Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956142\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956103\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-022\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Excel/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-022\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\n\nexcelVer = get_kb_item(\"SMB/Office/Excel/Version\");\nif(excelVer =~ \"^(12|14)\\..*\")\n{\n if(version_in_range(version:excelVer, test_version:\"12.0\", test_version2:\"12.0.6718.4999\") ||\n version_in_range(version:excelVer, test_version:\"14.0\", test_version2:\"14.0.7145.5000\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:07", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.", "modified": "2018-10-12T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805055", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805055", "title": "Microsoft Office Excel Viewer Remote Code Execution Vulnerabilities (3038999)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_excel_viewer_ms15-022.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Excel Viewer Remote Code Execution Vulnerabilities (3038999)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805055\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0085\", \"CVE-2015-0086\", \"CVE-2015-0097\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 13:15:55 +0530 (Wed, 11 Mar 2015)\");\n script_name(\"Microsoft Office Excel Viewer Remote Code Execution Vulnerabilities (3038999)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Excel Viewer 2007 Service Pack 3 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956189\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-022\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/XLView/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-022\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\n\n## Microsoft Office Excel Viewer 2007\nexcelviewVer = get_kb_item(\"SMB/Office/XLView/Version\");\nif(excelviewVer =~ \"^12\\..*\")\n{\n if(version_in_range(version:excelviewVer, test_version:\"12.0\", test_version2:\"12.0.6717.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:55", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.", "modified": "2018-10-12T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805056", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805056", "title": "Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3038999)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_viewer_ms15-022.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3038999)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805056\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0085\", \"CVE-2015-0086\", \"CVE-2015-0097\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 13:23:44 +0530 (Wed, 11 Mar 2015)\");\n script_name(\"Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3038999)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word Viewer 2007 Service Pack 3 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956188\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-022\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-022\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwordviewVer = get_kb_item(\"SMB/Office/WordView/Version\");\nif(wordviewVer)\n{\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8415\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-23T15:11:29", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.", "modified": "2018-11-22T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805054", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805054", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (3038999)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms15-022.nasl 12485 2018-11-22 11:39:45Z cfischer $\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (3038999)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805054\");\n script_version(\"$Revision: 12485 $\");\n script_cve_id(\"CVE-2015-0085\", \"CVE-2015-0086\", \"CVE-2015-0097\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-22 12:39:45 +0100 (Thu, 22 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 12:12:11 +0530 (Wed, 11 Mar 2015)\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (3038999)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-022.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are exists when,\n\n - The Office software improperly handles objects in memory while parsing\n specially crafted Office files.\n\n - The Office software fails to properly handle rich text format files in\n memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user and\n to perform actions in the security context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2007 Service Pack 3 and prior\n\n Microsoft Office 2010 Service Pack 2 and prior\n\n Microsoft Office 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2984939\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956151\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956076\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2889839\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2883100\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2956138\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-022\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_office_detection_900025.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-022\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\n## MS Office 2007,2010, 2015\nif(officeVer && officeVer =~ \"^1[245]\\.\")\n{\n InsPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"CommonFilesDir\");\n if(InsPath)\n {\n foreach offsubver (make_list(\"Office12\", \"Office15\", \"Office14\"))\n {\n offPath = InsPath + \"\\Microsoft Shared\\\" + offsubver;\n exeVer = fetch_file_version(sysPath:offPath, file_name:\"Mso.dll\");\n\n ## For office 2010 Wwlibcxm.dll is mentioned and it is not available so ignoring\n ## version check for office 2010 http://support.microsoft.com/kb/2956138\n if(exeVer)\n {\n if(version_in_range(version:exeVer, test_version:\"12.0\", test_version2:\"12.0.6718.4999\") ||\n version_in_range(version:exeVer, test_version:\"14.0\", test_version2:\"14.0.7145.4999\") ||\n version_in_range(version:exeVer, test_version:\"15.0\", test_version2:\"15.0.4701.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n }\n}\n\n## Microsoft Office 2010 Service Pack 1 and prior\n## http://support.microsoft.com/kb/2889839\n## http://support.microsoft.com/kb/2883100\nif(!officeVer || officeVer !~ \"^14\\.\"){\n exit(0);\n}\n\ncomPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Office\\14.0\\Access\\InstallRoot\", item:\"Path\");\nif(comPath)\n{\n ortVer = fetch_file_version(sysPath:comPath, file_name:\"Oart.dll\");\n ortconVer = fetch_file_version(sysPath:comPath, file_name:\"Oartconv.dll\");\n if(!isnull(ortVer) || !isnull(ortconVer))\n {\n if(version_in_range(version:ortVer, test_version:\"14.0\", test_version2:\"14.0.7134.4999\") ||\n version_in_range(version:ortconVer, test_version:\"14.0\", test_version2:\"14.0.7134.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-26T14:19:18", "bulletinFamily": "scanner", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-022.", "modified": "2018-09-26T00:00:00", "published": "2015-03-11T00:00:00", "id": "OPENVAS:1361412562310805151", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805151", "title": "Microsoft SharePoint Server and Foundation Multiple Vulnerabilities (3038999)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_sharepoint_sever_n_foundation_ms15-022.nasl 11612 2018-09-26 05:47:26Z cfischer $\n#\n# Microsoft SharePoint Server and Foundation Multiple Vulnerabilities (3038999)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:sharepoint_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805151\");\n script_version(\"$Revision: 11612 $\");\n script_cve_id(\"CVE-2015-0085\", \"CVE-2015-1633\", \"CVE-2015-1636\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-26 07:47:26 +0200 (Wed, 26 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-11 16:48:56 +0530 (Wed, 11 Mar 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft SharePoint Server and Foundation Multiple Vulnerabilities (3038999)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-022.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due,\n\n - An use-after-free error that is triggered when handling a specially crafted\n office file.\n\n - User-supplied input is not properly validated before returning to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to dereference already freed memory and potentially execute\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft SharePoint Server 2010 Service Pack 2,\n Microsoft SharePoint Foundation 2010 Service Pack 2,\n Microsoft SharePoint Foundation 2013 Service Pack 1 and prior,\n Microsoft SharePoint Server 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the\n listed hotfixes or download and update mentioned hotfixes in the advisory\n from the given link, https://technet.microsoft.com/library/security/MS15-022\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2956208\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2956175\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS15-022\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/SharePoint/Server_or_Foundation_or_Services/Installed\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nshareVer = get_app_version(cpe:CPE);\nif(!shareVer)\n{\n CPE = \"cpe:/a:microsoft:sharepoint_foundation\";\n shareVer = get_app_version(cpe:CPE);\n if(!shareVer){\n exit(0);\n }\n}\n\nkey = \"SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## SharePoint Server and Foundation 2010 (wssloc)\nif(shareVer =~ \"^14\\..*\")\n{\n path = registry_get_sz(key: key + \"14.0\", item:\"Location\");\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"BIN\\Onetutil.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7145.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n## SharePoint Server and Foundation 2013 only for (sts)\nif(shareVer =~ \"^15\\..*\")\n{\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\n if(path)\n {\n path = path + \"\\microsoft shared\\SERVER15\\Server Setup Controller\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"Wsssetup.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4701.999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Microsoft Office for Mac 2011 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka \"Microsoft Outlook App for Mac XSS Vulnerability.\"", "modified": "2018-10-12T18:08:33", "published": "2015-04-14T16:59:03", "id": "CVE-2015-1639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1639", "title": "CVE-2015-1639", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka \"Microsoft Office Component Use After Free Vulnerability.\"", "modified": "2018-10-12T18:08:36", "published": "2015-04-14T16:59:12", "id": "CVE-2015-1650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650", "title": "CVE-2015-1650", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Microsoft Project Server 2010 SP2 and 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka \"Microsoft SharePoint XSS Vulnerability.\"", "modified": "2018-10-12T18:08:33", "published": "2015-04-14T16:59:04", "id": "CVE-2015-1640", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1640", "title": "CVE-2015-1640", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 SP1 and SharePoint Server 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka \"Microsoft SharePoint XSS Vulnerability.\"", "modified": "2018-10-12T18:08:36", "published": "2015-04-14T16:59:15", "id": "CVE-2015-1653", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1653", "title": "CVE-2015-1653", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Word 2007 SP3, Word Viewer, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka \"Microsoft Office Component Use After Free Vulnerability.\"", "modified": "2018-10-12T18:08:36", "published": "2015-04-14T16:59:13", "id": "CVE-2015-1651", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1651", "title": "CVE-2015-1651", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:56", "bulletinFamily": "NVD", "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gold and SP1, Word 2013 RT Gold and SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, and Web Apps Server 2013 Gold and SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RTF document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "modified": "2018-10-12T18:08:22", "published": "2015-03-11T06:59:13", "id": "CVE-2015-0086", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086", "title": "CVE-2015-0086", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 Gold and SP1 and SharePoint Server 2013 Gold and SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted request, aka \"Microsoft SharePoint XSS Vulnerability.\"", "modified": "2018-10-12T18:08:31", "published": "2015-03-11T06:59:37", "id": "CVE-2015-1636", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1636", "title": "CVE-2015-1636", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps Server 2010 SP2 allows remote attackers to execute arbitrary code via a crafted Office document, aka \"Microsoft Office Component Use After Free Vulnerability.\"", "modified": "2018-10-12T18:08:35", "published": "2015-04-14T16:59:11", "id": "CVE-2015-1649", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1649", "title": "CVE-2015-1649", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:57", "bulletinFamily": "NVD", "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "modified": "2018-10-12T18:08:33", "published": "2015-04-14T16:59:05", "id": "CVE-2015-1641", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641", "title": "CVE-2015-1641", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:56", "bulletinFamily": "NVD", "description": "Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 2010 SP2, PowerPoint 2010 SP2, and Word 2010 SP2 allow remote attackers to execute arbitrary code via a crafted Office document, aka \"Microsoft Word Local Zone Remote Code Execution Vulnerability.\"", "modified": "2018-10-12T18:08:26", "published": "2015-03-11T06:59:23", "id": "CVE-2015-0097", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0097", "title": "CVE-2015-0097", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-13T06:17:05", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.\n\n### Technologies Affected\n\n * Microsoft Project Server 2010 Service Pack 2 \n * Microsoft Project Server 2013 Service Pack 1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\n**Set web browser security to disable the execution of script code or active content.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-73992", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/73992", "type": "symantec", "title": "Microsoft SharePoint CVE-2015-1640 Cross Site Scripting Vulnerability", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-03-12T02:29:10", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.\n\n### Technologies Affected\n\n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2013 SP1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\n**Set web browser security to disable the execution of script code or active content.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-73999", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/73999", "type": "symantec", "title": "Microsoft SharePoint CVE-2015-1653 Cross Site Scripting Vulnerability", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-03-12T04:24:44", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability because it fails to properly handle rich text format files in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office Compatibility Pack Service Pack 3 \n * Microsoft Office Web Apps Server 2013 \n * Microsoft Web Applications 2010 Service Pack 2 \n * Microsoft Web Apps Server 2013 Service Pack 1 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 (32-bit editions) \n * Microsoft Word 2013 (64-bit editions) \n * Microsoft Word 2013 RT \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2010 SP2 \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2013 \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1 \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-03-10T00:00:00", "published": "2015-03-10T00:00:00", "id": "SMNTC-72911", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/72911", "type": "symantec", "title": "Microsoft Office CVE-2015-0086 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-13T06:16:53", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.\n\n### Technologies Affected\n\n * Microsoft SharePoint Foundation 2013 \n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2013 \n * Microsoft SharePoint Server 2013 SP1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\n**Set web browser security to disable the execution of script code or active content.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-03-10T00:00:00", "published": "2015-03-10T00:00:00", "id": "SMNTC-72922", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/72922", "type": "symantec", "title": "Microsoft SharePoint CVE-2015-1636 Cross Site Scripting Vulnerability", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-03-14T22:41:12", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office Compatibility Pack SP3 \n * Microsoft Office Web Apps Server 2010 Service Pack 2 \n * Microsoft Office Web Apps Server 2013 SP1 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2010 SP2 \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1 \n * Microsoft Word for Mac 2011 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-73995", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/73995", "type": "symantec", "title": "Microsoft Office CVE-2015-1641 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T10:28:40", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a remote code-execution vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office Compatibility Pack Service Pack 3 \n * Microsoft Word 2007 SP3 \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-74012", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74012", "type": "symantec", "title": "Microsoft Office CVE-2015-1651 Use After Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T00:30:46", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Word is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Excel 2007 SP3 \n * Microsoft Excel 2010 SP2 (32-bit editions) \n * Microsoft Excel 2010 SP2 (64-bit editions) \n * Microsoft PowerPoint 2007 SP3 \n * Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) \n * Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-03-10T00:00:00", "published": "2015-03-10T00:00:00", "id": "SMNTC-72917", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/72917", "type": "symantec", "title": "Microsoft Word CVE-2015-0097 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:41:21", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a remote code-execution vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office Compatibility Pack Service Pack 3 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-74011", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/74011", "type": "symantec", "title": "Microsoft Office CVE-2015-1650 Use After Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T06:25:07", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Outlook App for Mac is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.\n\n### Technologies Affected\n\n * Apple Mac OS X 10.5.8 \n * Microsoft Office for Mac 2011 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\n**Set web browser security to disable the execution of script code or active content.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "SMNTC-73991", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/73991", "type": "symantec", "title": "Microsoft Outlook App for Mac CVE-2015-1639 Cross Site Scripting Vulnerability", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-03-13T20:24:08", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft SharePoint is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions such as reading, modifying, or deleting content on behalf of the victim on the SharePoint site.\n\n### Technologies Affected\n\n * Microsoft SharePoint Foundation 2010 SP2 \n * Microsoft SharePoint Foundation 2013 \n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2010 SP2 \n * Microsoft SharePoint Server 2013 \n * Microsoft SharePoint Server 2013 SP1 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. \n\n**Set web browser security to disable the execution of script code or active content.** \nSince exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-03-10T00:00:00", "published": "2015-03-10T00:00:00", "id": "SMNTC-72919", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/72919", "type": "symantec", "title": "Microsoft SharePoint CVE-2015-1633 Cross Site Scripting Vulnerability", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T12:21:09", "bulletinFamily": "exploit", "description": "\u6765\u6e90\uff1a http://drops.wooyun.org/papers/9809\r\n\r\n### Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e\r\n\r\n\r\n### 0x01 \u6f0f\u6d1e\u6982\u8ff0\r\n\r\n\u4eca\u5e744\u6708\u4efd\u5fae\u8f6f\u4fee\u8865\u4e86\u4e00\u4e2a\u540d\u4e3aCVE-2015-1641\u7684word\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u5d4c\u5165\u4e86docx\u7684rtf\u6587\u6863\u8fdb\u884c\u653b\u51fb\u3002word\u5728\u89e3\u6790docx\u6587\u6863\u5904\u7406displacedByCustomXML\u5c5e\u6027\u65f6\u672a\u5bf9customXML\u5bf9\u8c61\u8fdb\u884c\u9a8c\u8bc1\uff0c\u53ef\u4ee5\u4f20\u5165\u5176\u4ed6\u6807\u7b7e\u5bf9\u8c61\u8fdb\u884c\u5904\u7406\uff0c\u9020\u6210\u7c7b\u578b\u6df7\u6dc6\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6700\u7ec8\u7ecf\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684\u6807\u7b7e\u4ee5\u53ca\u5bf9\u5e94\u7684\u5c5e\u6027\u503c\u53ef\u4ee5\u9020\u6210\u8fdc\u7a0b\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\r\n\r\n\u6839\u636e\u5fae\u8f6f\u5b98\u65b9MS15-33\u5b89\u5168\u516c\u544a\u91cc\u663e\u793a\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u8986\u76d6Office 2007 SP3\uff0cOffice 2010 SP2\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013 SP1\uff0832\u4f4d\u548c64\u4f4d\uff09\uff0cOffice 2013RT SP1\uff0cWord for Mac 2011\u4ee5\u53caOffice\u5728SharePoint\u670d\u52a1\u5668\u4e0a\u7684Office 2010/2013\u548cOffice Web 2010/2013\u5e94\u7528\uff0c\u9664\u6b64\u4e4b\u5916\uff0c\u7ecf\u8fc7\u9a8c\u8bc1Office 2010 SP1\u4e5f\u53d7\u8be5\u6f0f\u6d1e\u7684\u5f71\u54cd\uff0c\u4f46\u662f\u5fae\u8f6f\u9488\u5bf9\u8be5\u6f0f\u6d1e\u57282010\u4e0a\u7684\u8865\u4e01KB2553428\u5e76\u672a\u63a8\u51faSP1\u7248\u672c\uff0c\u56e0\u6b64SP1\u7248\u672c\u7684Office 2010\u5230\u76ee\u524d\u5373\u4f7f\u66f4\u65b0\u6240\u6709\u8865\u4e01\u4ecd\u7136\u5b58\u5728\u8be5\u6f0f\u6d1e\u3002\r\n\r\nCVE-2015-1641\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u89e6\u53d1\u975e\u5e38\u7a33\u5b9a\uff0c\u51e0\u4e4e\u5f71\u54cd\u5fae\u8f6f\u76ee\u524d\u6240\u652f\u6301\u7684\u6240\u6709office\u7248\u672c\uff08\u6700\u65b0\u63a8\u51fa\u7684Office 2016\u9664\u5916\uff09\uff0c\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u76ee\u524d\u65e0\u8bba\u662f\u5728VirusTotal\u8fd8\u662f\u5728\u91ce\u5916\u6293\u5230\u7684\u6837\u672c\uff0c\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5df2\u7ecf\u5f00\u59cb\u9010\u6e10\u589e\u52a0\u3002\u6839\u636e\u4ee5\u4e0a\u539f\u56e0\u53ef\u4ee5\u63a8\u65ad\uff0c\u5728\u4eca\u540e\u5f88\u957f\u7684\u4e00\u6bb5\u65f6\u95f4\u5185\u90fd\u4f1a\u5b58\u5728\u8be5\u6f0f\u6d1e\u7684\u653b\u51fb\uff0c\u5e76\u4e14\u6709\u66ff\u4ee3CVE-2012-0158\u7684\u8d8b\u52bf\u3002\r\n\r\n### 0x02 \u6f0f\u6d1e\u539f\u56e0\u5206\u6790\r\n\r\n\u4f7f\u7528\u963f\u91cc\u8c1b\u542c\u5f15\u64ce\u626b\u63cfRTF\u6587\u6863\uff0c\u89e3\u6790\u51fa\u5176\u4e2d\u7684\u4e00\u4e2aword\u6587\u6863\u7684document.xml\u4e2d\u6709\u5982\u4e0b\u4ee3\u7801\uff0c\u5305\u542b\u4e864\u4e2asmartTag\u6807\u7b7e\uff0c\u6bcf\u4e2asmartTag\u4e2d\u53c8\u6709permStart\u6807\u7b7e\uff0c\u800c\u5728permStart\u6807\u7b7e\u4e2d\u7684\u5219\u662f\u5e26\u6709displacedByCustomXml\u5c5e\u6027\u7684moveFromRangeStart\u548cmoveFromRangeEnd\u6807\u7b7e\uff1a\r\n\r\n\r\n\r\n\u9996\u5148\u6765\u8bf4\u660e\u4e00\u4e0b\u51e0\u4e2a\u6807\u7b7e\u53ca\u5c5e\u6027\u7684\u4f5c\u7528\u3002smartTag\u6807\u7b7e\u662f\u7528\u4e8eword\u548cexcel\u4e2d\u7684\u667a\u80fd\u6807\u7b7e\uff0c\u9488\u5bf9\u4eba\u540d\u3001\u65e5\u671f\u3001\u65f6\u95f4\u3001\u5730\u5740\u3001\u7535\u8bdd\u53f7\u7801\u7b49\u8fdb\u884c\u667a\u80fd\u8bc6\u522b\u5e76\u5141\u8bb8\u7528\u6237\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\u7684\u6807\u7b7e\u3002\u6bd4\u5982\u5982\u679cSteve Jobs\u88ab\u8bc6\u522b\u4e3a\u4eba\u540d\uff0c\u5219smartTag\u6807\u7b7e\u53ef\u4ee5\u6267\u884c\u8bf8\u5982\u6253\u5f00\u901a\u8baf\u5f55\u3001\u6dfb\u52a0\u5230\u8054\u7cfb\u4eba\u3001\u9884\u7ea6\u4f1a\u8bae\u7b49\u64cd\u4f5c\uff0c\u7ed9office\u7528\u6237\u63d0\u4f9b\u66f4\u591a\u81ea\u5b9a\u4e49\u7684\u667a\u80fd\u9009\u62e9\u3002displacedByCustomXml\u5728\u5f88\u591a\u6807\u7b7e\u4e2d\u90fd\u53ef\u4ee5\u4f7f\u7528\uff0c\u76ee\u7684\u662f\u5f53\u524d\u6807\u7b7e\u5904\u9700\u8981\u88ab\u4e00\u4e2acustomXML\u4e2d\u7684\u5185\u5bb9\u4ee3\u66ff\uff0c\u5b83\u7684\u503c\u662fnext\u8868\u793a\u88ab\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0cprev\u5219\u8868\u793a\u88ab\u4e0a\u4e00\u4e2a\u4ee3\u66ff\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u4e00\u4e2a\u7c7b\u578b\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u672c\u6765\u5e26\u6709displacedByCustomXml\u7684\u6807\u7b7e\u4f1a\u88ab\u4e0a\u4e00\u4e2a\u6216\u4e0b\u4e00\u4e2acustomXML\u4ee3\u66ff\uff0c\u4f46\u662fword\u6ca1\u6709\u5bf9\u4f20\u5165\u7684customXML\u5bf9\u8c61\u8fdb\u884c\u4e25\u683c\u7684\u6821\u9a8c\uff0c\u5bfc\u81f4\u53ef\u4ee5\u4f20\u5165\u8bf8\u5982smartTag\u5bf9\u8c61\uff0c\u7136\u800csmartTag\u5bf9\u8c61\u7684\u5904\u7406\u6d41\u7a0b\u548ccustomXML\u5e76\u4e0d\u76f8\u540c\uff0c\u4e0a\u8ff0\u7279\u6b8a\u5904\u7406\u7684smartTag\u6807\u7b7e\u4e2d\u7684element\u5c5e\u6027\u503c\u4f1a\u88ab\u5f53\u4f5c\u662f\u4e00\u4e2a\u5730\u5740\uff0c\u968f\u540e\u7ecf\u8fc7\u7b80\u5355\u7684\u8ba1\u7b97\u5f97\u5230\u53e6\u4e00\u4e2a\u5730\u5740\u3002\u6700\u540e\u5904\u7406\u6d41\u7a0b\u4f1a\u5c06moveFromRangeEnd\u7684id\u503c\u8986\u76d6\u5230\u4e4b\u524d\u8ba1\u7b97\u51fa\u6765\u7684\u5730\u5740\u4e2d\uff0c\u5bfc\u81f4\u4efb\u610f\u5185\u5b58\u5199\u5165\uff0c\u6f0f\u6d1e\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u901a\u8fc7\u4e0b\u9762\u7684\u8865\u4e01\u5bf9\u6bd4\u53ef\u4ee5\u5f88\u5bb9\u6613\u770b\u5230\u6253\u4e0a\u6700\u65b0\u8865\u4e01\u7684word\u4ee3\u7801\u589e\u52a0\u4e86\u5bf9customXML\u5bf9\u8c61\u5904\u7406\u51fd\u6570\u7684\u6821\u9a8c\uff1a\r\n\r\n\r\n\r\n### 0x03 \u6f0f\u6d1e\u5229\u7528\u5206\u6790\r\n\r\n\u5229\u7528\u7684\u5206\u6790\u73af\u5883\u4e3awin7 64\u4f4d+office2010 sp2 32\u4f4d\u3002\r\n\r\n\u867d\u7136\u8fd9\u4e0a\u9762\u67094\u4e2asmartTag\u6807\u7b7e\uff0c\u4f46\u5c31\u76ee\u524d\u5206\u6790\u6765\u770b\uff0c\u524d\u4e24\u4e2a\u6807\u7b7e\u662f\u6f0f\u6d1e\u5229\u7528\u7684\u5173\u952e\u3002\u9996\u5728\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u4f1a\u628a\u5176moveFromRangeEnd\u5b50\u6807\u7b7e\u7684id\u8fdb\u884c\u89e3\u6790\uff0c\u7136\u540e\u5199\u52300x7c38bd74\u8fd9\u4e2a\u5730\u5740\u4e2d\u53bb\uff0c\u8fd9\u4e2a\u5730\u5740\u662f\u6839\u636esmartTag\u7684element\u53730x7c38bd50\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u89e3\u6790\u7b2c\u4e8c\u4e2asmartTag\u6807\u7b7e\uff0cesi\u6307\u5411\u7684\u5185\u5b58\u5c31\u662fsmartTag\u7684\u7ed3\u6784\u4f53\uff0cesi+4\u7684\u5185\u5bb9\u662felement\u5c5e\u6027\u503c\uff1a\r\n\r\n\r\n\r\n\u800ceax\u7684\u503c\u4e3a0x7C376FC3\uff0c\u521a\u597d\u5c31\u662fmoveFromRangeEnd\u5bf9\u8c61id \"2084007875\"\u7684\u5341\u516d\u8fdb\u5236\u503c\uff1a\r\n\r\n\r\n\r\n\u7136\u540e\u8986\u76d6MSVCR71.dll\u4e2d0x7c38a428\uff0c\u8fd9\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u7684\u6307\u9488\uff0c\u800c0x7c38a428\u8fd9\u4e2a\u5730\u5740\u662f\u901a\u8fc7\u5f53\u524dsmartTag\u7684element\u5c5e\u6027\u503c\u53730x7c38bd68\u548c\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u4e2dmoveFromRangeStart\u7684id\u5171\u540c\u8ba1\u7b97\u51fa\u6765\u7684\uff1a\r\n\r\n\r\n\r\n\u8c03\u8bd5\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u5185\u5b58\uff0cecx\u7684\u5185\u5b58\u5982\u4e0b\uff0cecx+0xc\u5c31\u662f\u4e0a\u9762\u89e3\u6790\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\u65f6\u5199\u5165\u7684\u503c\uff0c\u6700\u7ec8\u8ba1\u7b97\u5f97\u5230\u7684\u88ab\u8986\u76d6\u7684\u5730\u5740\u4fbf\u662f0x7c38a428\uff1a\r\n\r\n\r\n\r\n\u800c\u5728\u8986\u76d6\u4e4b\u524d0x7c38a428\u5904\u7684\u6307\u9488\u6307\u5411kernel32! FlsGetValue:\r\n\r\n\r\n\r\n\u6700\u540e\u8c03\u7528memcpy\u51fd\u6570\u8fdb\u884c\u8986\u76d6\uff1a\r\n\r\n\r\n\r\n\u8986\u76d6\u4e4b\u540e\u76840x7c38a428\u6307\u5411\u7684\u4fbf\u662f\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4ee3\u7801\u4f4d\u7f6e\uff1a\r\n\r\n\r\n\r\n\u603b\u7ed3\u4e00\u4e0b\u5229\u7528\u6d41\u7a0b\u5982\u4e0b\uff1a\u9996\u5148smartTag_1\uff08\u7b2c\u4e00\u4e2asmartTag\u6807\u7b7e\uff09\u7684element\u5c5e\u6027\u503c\u8fdb\u884c\u7b80\u5355\u8ba1\u7b97\u5f97\u5230\u4e00\u4e2a\u5730\u5740addr1\uff0c\u7136\u540e\u5c06\u5176moveFromRangeEnd_1\u5b50\u6807\u7b7e\u7684id\u5199\u5165\u5230addr1\u4e2d\u5907\u7528\uff1b\u7136\u540e\u89e3\u6790smartTag_2\uff0c\u6839\u636e\u4ed6\u7684element\u5c5e\u6027\u503c\u548c\u524d\u9762\u8ba1\u7b97\u51fa\u6765\u7684addr1\u5171\u540c\u8ba1\u7b97\u51fa\u53e6\u4e00\u4e2a\u5730\u5740addr2\uff0c\u5e76\u5c06\u5176\u5b50\u6807\u7b7emoveFromRangeEnd_2\u7684id\u5199\u5165\u5230addr2\uff0c\u800caddr2\u662f\u4e00\u4e2a\u865a\u51fd\u6570\u8868\u4e2d\u7684\u5730\u5740\uff0c\u8fd9\u6837\u539f\u672c\u662f\u8fd9\u4e2a\u865a\u51fd\u6570\u7684\u5730\u5740\u5c31\u88ab\u8986\u76d6\u6210\u653b\u51fb\u8005\u60f3\u8981\u6267\u884c\u7684\u4efb\u610f\u4ee3\u7801\u7684\u5730\u5740\uff0c\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u3002\r\n\r\nword\u5728office2010\u7684\u73af\u5883\u4e0b\u6ca1\u6709\u6253\u8865\u4e01\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u7684\u5806\u55b7\u5c04\u540e\u7684\u5730\u5740\u4e3a0x0900080C\uff0c\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u770b\u5230\u8fd9\u6bb5\u5185\u5b58\u60f3\u5fc5\u90fd\u5df2\u7ecf\u6e05\u695a\u4e86\uff0c\u8fd9\u91cc\u5c31\u662fRTF\u6587\u6863\u91ca\u653e\u7684activeX.bin\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u800c0x7c342404\u5904\u7684\u4ee3\u7801\u662fret\uff0c\u56e0\u6b64\u8fd9\u91cc\u4f1a\u4e00\u76f4\u6267\u884cret\u76f4\u5230\u5230\u8fbe\u6700\u7ec8ROP\u7684\u4f4d\u7f6e\uff0cROP\u94fe\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u6beb\u65e0\u7591\u95eeROP\u7684\u4f5c\u7528\u8fd8\u662f\u8c03\u7528VirtualProtect\u51fd\u6570\u5bf9\u5f53\u524d\u8fd9\u5757\u5185\u5b58\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650\uff1a\r\n\r\n\r\n\r\n\u83b7\u5f97\u6267\u884c\u6743\u9650\u4e4b\u540e\u5f00\u59cb\u6267\u884cshellcode\uff1a\r\n\r\n\r\n\r\n### 0x04 \u6f0f\u6d1e\u5229\u7528\u68c0\u6d4b\r\n\r\n\u60f3\u8981\u68c0\u6d4b\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u5fc5\u987b\u8981\u5148\u4ecertf\u6587\u6863\u63d0\u53d6\u51fadocx\u7136\u540e\u83b7\u53d6\u5230document.xml\uff0cyara\u89c4\u5219\u5982\u4e0b\uff1a\r\n\r\n```\r\nrule CVE_2015_1641\r\n{\r\n meta:\r\n description=\"Word Type Confusion Vulnerability\"\r\n output=\"Nday & CVE-2015-1641\"\r\n strings:\r\n $smart_tag=/<w:smartTag[\\w\\W]+?w:element=\\\"(&#x[a-zA-Z0-9]{4};){2}\\\">[\\w\\W]+?<w:permStart[\\w\\W]+?w:displacedByCustomXml=\\\"prev\\\"\\/>[\\w\\W]+?<w:permEnd[\\w\\W]+?<\\/w:smartTag>/\r\n condition:\r\n $smart_tag\r\n}\r\n```\r\n\r\n\u4e0a\u9762\u7684\u89c4\u5219\u5339\u914d\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u6b63\u5219\u5339\u914d\uff0c\u4ece\u5de6\u5230\u53f3\u6d41\u7a0b\u5982\u4e0b\uff1a1.\u5339\u914d\u5230smartTag\u6807\u7b7e\uff0c\u67e5\u770b\u5176element\u5c5e\u6027\u662f\u5426\u4e3a\u5341\u516d\u8fdb\u5236\u6570\u503c\u4f5c\u4e3a\u5730\u5740\uff1b2.\u5728smartTag\u6807\u7b7e\u4e2d\u5339\u914d\u5230permStart\u6807\u7b7e\uff0c\u5728\u5b83\u7684\u5c5e\u6027\u6216\u5b50\u6807\u7b7e\u7684\u5c5e\u6027\u4e2d\u5b58\u5728displacedByCustomXml=\"prev\"\u3002\u6ee1\u8db3\u4e0a\u8ff0\u4e24\u4e2a\u6761\u4ef6\u5219\u8ba4\u4e3a\u5c31\u662f\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u653b\u51fb\u6837\u672c\u3002\u4f9d\u636e\u4e0a\u9762\u7684yara\u89c4\u5219\u68c0\u6d4b\u8be5\u653b\u51fb\u6837\u672c\u7684document.xml\u7ed3\u679c\u5982\u4e0b\uff1a\r\n\r\n", "modified": "2015-12-31T00:00:00", "published": "2015-12-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90202", "id": "SSV:90202", "type": "seebug", "title": "Microsoft Office \u5185\u5b58\u635f\u574f\u6f0f\u6d1e(CVE-2015-1641)", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "zdi": [{"lastseen": "2016-11-09T00:18:10", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within processing of abstract number elements in numbering.xml. By adding unexpected nodes within an abstractNum node, the attacker can cause memory to be used after it is freed, leading to arbitrary code execution in the context of the Word process.", "modified": "2015-11-09T00:00:00", "published": "2015-04-15T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-132", "id": "ZDI-15-132", "title": "Microsoft Word Use-After-Free Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of the item1.xml file inside of the .docx package. By transposing elements, an attacker is able to cause a pointer to be re-used after it was freed. An attacker could leverage this to execute arbitrary code in the context of the user.", "modified": "2015-11-09T00:00:00", "published": "2015-03-12T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-088", "id": "ZDI-15-088", "title": "Microsoft Word Format Tag Transposition Use-After-Free Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:32", "bulletinFamily": "info", "description": "Nigerian cybercriminals targeting industrial firms have stolen a slew of sensitive technical drawings, network diagrams, cost estimates, and project plans already this year. The data, exfiltrated by a cocktail of different spyware programs, wasn\u2019t stolen from just executives, but also operators, engineers, designers and architects.\n\nThe thefts stem from a series of Business Email Compromise (BEC) attacks. In total, researchers with Kaspersky Lab said this week they\u2019ve seen over 500 companies \u2013 mostly in the industrial and transportation sector \u2013 from 50 countries hit by strategic phishing messages over the past several months.\n\nA report by the company\u2019s Industrial Control Systems Cyber Emergency Response Team broke down the phishing attacks [on Thursday](<https://securelist.com/nigerian-phishing-industrial-companies-under-attack/78565/>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/06/06224212/Infographics_Nigerian_Phishing_1_map_v02.jpg>)\n\nA map, published alongside the report, suggests corporations in the Middle East (the United Arab Emirates in particular), Russia, Germany, and India have been the hardest hit.\n\nLike most BEC attacks, the attacks begin with phony but authentic looking emails, complete with attachments named \u201cEnergy & Industrial Solutions W.L.L_pdf,\u201d and so on.\n\nAll the emails came with .RTF files armed with either an old Microsoft Word exploit \u2013 CVE-2015-1641, or macros and OLE objects that trigger the download of additional malicious files. Data sniffing malware, packed both with VB and .NET packers, from eight different families \u2013 including ZeuS, Pony, LokiBot, and a variety of RATs \u2013 were also used in the attacks, Kaspersky Lab said Thursday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/06/06224209/incorrectbankingdetails.png>)\n\nWhile it\u2019s clear what\u2019s been taken, it\u2019s unclear exactly who\u2019s behind the campaign. Researchers hint it\u2019s either one group using different malware families or different groups working in tandem, using the same command and control setup to distribute their wares.\n\nIn some instances the attackers were able to gain access to websites belonging to the companies they targeted in order to host malware on their servers and use them as their C+C. In other cases attackers managed to secure access to email accounts of company employees and send malicious emails and attachments to executives at other companies.\n\nWhen they couldn\u2019t infiltrate their victims\u2019 sites or emails to spread malware, the attackers set up C+C domains to mimic the actual name of the company targeted, or blended of the site\u2019s legitimate name and its top-level domain.\n\nThe attackers didn\u2019t do much to cover their tracks. The bulk of the domains, according to researchers, were registered to Nigerian residents.\n\nOnce a corporate machine has been compromised, the sky\u2019s the limit for the attackers. The report claims they can carry out man-in-the-middle attacks, take screenshots of correspondence, redirect messages from the victim\u2019s mailbox and track internal transactions by the company.\n\nResearchers with the firm reported seeing screenshots of diagrams, mockups of electrical and information networks, and Autodesk AutoCAD projects on some command and control servers. The data is technical in nature and could likely be used to carry out future attacks, Kaspersky Lab suggests.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/06/06224200/ics_report.png>)\n\n\u201cThere is no need for the attackers to collect this kind of data in order to perpetrate their phishing scams. So what do they do with this information? Is the collection accidental, or intentional \u2013 perhaps commissioned by a third party?\u201d Maria Garnaeva, senior security researcher, Critical Infrastructure Threat Analysis, Kaspersky Lab said.\n\n\u201cSo far, we have not seen any of the information stolen by Nigerian cybercriminals on the black market. However, it is clear that, for the companies being attacked, in addition to the direct financial loss, a Nigerian phishing attack poses other, possibly more serious, threats.\u201d\n\nWhile these types of attacks aren\u2019t necessarily new, Kaspersky Lab researchers said they observed a significant uptick in attacks focusing on industrial corporations in October 2016. The attacks have been ongoing and are \u201cunlikely to end any time soon,\u201d the report asserts.\n\nThe attacks supplement statistics recently released by the U.S. government. The FBI [said in May](<https://threatpost.com/business-email-compromise-losses-up-2370-percent-since-2015/125469/>) that BEC schemes had grown a whopping 2,370 percent in the last two years.\n\nThe report, released via the FBI\u2019s Internet Crime Complaint Center (IC3), said that since late 2013 businesses have lost more than $5.3 billion. Of that, $3 billion came at the hands of Nigerian phishers, the FBI said. Most of those funds were ultimately funneled to banks in China and Hong Kong via wire transfers and phony tax form scams.\n\nResearchers with Dell SecureWorks, who in the past have displayed an aptitude for analyzing these kind of scams, [described at the RSA Conference earlier this year](<https://threatpost.com/turning-tables-on-nigerian-business-email-scammers/123706/>) how they managed to derail one. The researchers, Joe Stewart and James Bettke, posed as an executive, gained the trust of one fraudster, and successfully had several mule accounts tied to the attacker frozen, mitigating potential extensive future loss.\n\nStewart said at the time it\u2019d be helpful if there was some sort of centralized repository for reporting these kinds of attacks.\n\n\u201cThere\u2019s no shortage of people who recognize these things and string them along. The problem is that there\u2019s no central place to report these accounts and get them shut down,\u201d Stewart said. \u201cSome of these guys have accounts in every country. Try to find the right contact at a particular bank in a particular country and tell them that they have accounts used by fraudsters. There\u2019s no easy way to do it. There needs to be someone leading the effort and the charge.\u201d\n", "modified": "2017-06-20T20:45:46", "published": "2017-06-15T14:28:19", "id": "THREATPOST:2579CD250892361A8CC34804F8B6E540", "href": "https://threatpost.com/nigerian-bec-scams-hit-500-companies-in-50-countries/126298/", "type": "threatpost", "title": "Nigerian BEC Scams Hit 500 Companies in 50 Countries", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:02", "bulletinFamily": "info", "description": "Microsoft has patched a critical vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, which could have devastating consequences once it\u2019s inevitably publicly exploited.\n\nThe bulletin, [MS15-034](<https://technet.microsoft.com/library/security/MS15-034>), is one of four critical bulletins issued today by Microsoft. Experts warn that exploiting the vulnerability is trivial and could lead to remote code execution and privilege escalation on a compromised machine.\n\n\u201cWhat this means is that once an attacker knows how to create the \u2018specially crafted HTTP request\u2019 they can simply start targeting every web server they can find until they hit one that is vulnerable. The first concern is that the work around provided by Microsoft is very limited and doesn\u2019t provide IT admins much to protect themselves while they test and deploy the patch,\u201d said Andrew Storms, vice president security services for New Context. \u201cThe second concern is the sheer number of Windows web servers. There are more Linux servers in terms of total numbers but Windows servers are more popular in the corporate environment and many of them store very valuable assets.\u201d\n\nMicrosoft said a temporary workaround would be to disable IIS kernel caching, but cautioned that this action could cause performance issue. The vulnerability is not being exploited in the wild, Microsoft said, adding that it\u2019s found in Windows 7, Windows Server 2008 R2, Windows 8 and 8.1, Windows Server 2012 and 2012 R2, and in Server Core installation option.\n\n\u201cAn attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for a second local vulnerability to escalate privilege, become administrator and install permanent exploit code,\u201d said Wolfgang Kandek, CTO at Qualys. \u201cThe attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the Internet.\u201d\n\nCraig Young, security researcher at Tripwire, said the flaw appears to be related to IIS kernel caching support.\n\n\u201cIt\u2019s likely that we\u2019ll see this bug being exploited in the wild in a very short timeframe,\u201d Young said. \u201cInterestingly enough however, MS15-034 does not affect the older Windows Server 2003 IIS platform, indicating that this bug was introduced in the newer IIS releases.\u201d\n\nWindows admins should also rush a critical bulletin that addresses a publicly disclosed vulnerability in Office.\n\n[MS15-033](<https://technet.microsoft.com/library/security/MS15-033>) patches three vulnerabilities that are rated critical for older versions of Office components such as Word 2007 and Office 2010, but rated important for Office 2013, SharePoint Server 2013 and Office Web Apps Server 2013.\n\nOne of the vulnerabilities, CVE-2015-1641, has been publicly disclosed and Microsoft said there are limited attacks trying to exploit the bug, which is a remote code execution memory corruption issue. There are also a pair of use-after-free vulnerabilities in Office that could lead to remote code execution.\n\nThe bulletin also patches a cross-site scripting vulnerability in Microsoft Outlook App for Mac.\n\nMicrosoft today also patched Internet Explorer. The latest cumulative update for the browser includes a number of fixes for vulnerabilities that were privately disclosed during the [Pwn2Own contest](<https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731>) last month.\n\n[MS15-032](<https://technet.microsoft.com/library/security/MS15-032>) patches 10 vulnerabilities in IE, including nine different memory corruption issues, and an ASLR bypass, none of which are being publicly exploited. The vulnerabilities range from security feature bypass, to elevation of privilege, to information disclosure, to remote code execution.\n\nThe final critical bulletin, [MS15-035](<https://technet.microsoft.com/library/security/MS15-035>), patches a vulnerability in the way Windows processes certain Enhanced Metafile (EMF) graphics and images.\n\n\u201cThe vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file,\u201d Microsoft said in its advisory. \u201cIn all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.\u201d\n\nThere were seven other bulletins released today, all rated important:\n\n * [MS15-036](<https://technet.microsoft.com/library/security/MS15-036>) patches an elevation of privilege vulnerabilities in SharePoint Server\n * [MS15-037](<https://technet.microsoft.com/library/security/MS15-037>) addresses an elevation of privilege vulnerability in Windows Task Scheduler\n * [MS15-038](<https://technet.microsoft.com/library/security/MS15-038>) fixes elevation of privilege vulnerabilities in Windows NTCreate Transaction Manager and MS-DOS\n * [MS15-039](<https://technet.microsoft.com/library/security/MS15-039>) patches a security feature bypass vulnerability in XML Core Services\n * [MS15-040](<https://technet.microsoft.com/library/security/MS15-040>) patches an information disclosure bug in Active Directory Federation Services\n * [MS15-041](<https://technet.microsoft.com/library/security/MS15-041>) patches an information disclosure vulnerability in .NET Framework\n * [MS15-042](<https://technet.microsoft.com/library/security/MS15-042>) patches a denial of service flaw in Windows Hyper-V\n\n**Adobe Patches Flash, ColdFusion, Flex**\n\nAdobe released updates today for Flash Player, ColdFusion and Flex. The Flash update patches a vulnerability that has been exploited in the wild, Adobe said.\n\nThe [Flash update](<https://helpx.adobe.com/security/products/flash-player/apsb15-06.html>) resolves 22 security issues, including CVE-2015-3043, a remote code execution bug under attack.\n\nAffected versions are: Adobe Flash Player 17.0.0.134 and earlier versions; Adobe Flash Player 13.0.0.277 and earlier 13.x versions; Adobe Flash Player 11.2.202.451 and earlier 11.x versions.\n\nThe [ColdFusion update](<https://helpx.adobe.com/security/products/coldfusion/apsb15-07.html>), meanwhile, addresses one vulnerability, CVE-2015-0345, an input validation bug that is not under attack, Adobe said.\n\nFinally, Adobe\u2019s Flex ASdoc Tool, also patched one vulnerability, CVE-2015-1773, found in the JavaScript output of the ASDoc tool in Flex 4.6 and earlier, Adobe said.\n\n\u201cThis vulnerability could lead to reflected cross-site scripting,\u201d Adobe said in its [advisory](<https://helpx.adobe.com/security/products/flex/apsb15-08.html>).\n", "modified": "2015-04-16T14:39:33", "published": "2015-04-14T14:49:25", "id": "THREATPOST:0FAFED5DB78FA64CCE60EB40BB4C8915", "href": "https://threatpost.com/microsoft-patches-critical-http-sys-vulnerability/112251/", "type": "threatpost", "title": "April 2015 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:27", "bulletinFamily": "info", "description": "Tibetans, journalists and human rights workers in Hong Kong and Taiwan have been targeted in an APT campaign that makes use of Microsoft Rich Text File (RTF) documents to compromise computers. Researchers say it\u2019s a new strategy by attackers in an ongoing advanced persistent threat that dates back to 2009.\n\nAccording to Arbor Networks, the RTF document-based attack uses four known vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641 and CVE-2015-1770) in one attachment. This is the first time, researchers say, that attackers associated with this APT have packed four vulnerabilities inside a single RTF document.\n\nOnce compromised, the vulnerabilities are being used to deliver malware payloads such as Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST, according to Arbor Networks, which published a report Monday of its [findings (PDF)](<https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/04/ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf>).\n\nArbor Networks said attackers are borrowing a best-of-breed mix of past technology used in previous and related APT attacks against similar journalist and human rights targets. \u201cWhat we have been able to do is update an ongoing APT and show how malware, techniques and spear phishing techniques have been refreshed for the present day,\u201d said Curt Wilson, senior threat intelligence analyst at Arbor Networks, in an interview with Threatpost.\n\nIn the week preceding the January 2016 Taiwanese general election, human rights lawyers and Tibetan activists received a phishing email purporting to come from a human rights organization. The email included the subject line \u201cUS Congress sanctions $6 million fund for Tibetans in Nepal and India.\u201d Attached was an RTF file that contained the four-pronged RTF file.\n\nAnyone who opened the email attachment was injected with the Grabber (aka EvilGrab) malware into their computer system\u2019s ctfmon.exe process, Arbor Networks said. Grabber then triggered the download of a host of malicious software such as remote access Trojans, giving attackers access to the system and the ability to load additional malicious code.\n\nPayloads varied from Grabber, T9000, Kivars, PlugX, Gh0StRAT and Agent.XST just as the phishing email subject lines varied. \u201c[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT,\u201d read another subject line harboring an RTF file that ultimately infected systems with the Kivars Keylogger Payload.\n\nWilson said none of the payloads or exploits were new. He added, \u201cBeing able to draw a line from one APT to another is an extremely important step when it comes to fighting APTs and ideally \u2013 in this case \u2013 keeping those fighting for human rights out of jail.\u201d\n\nWilson said the espionage campaign against journalists, activists and human rights advocates appears to be connected to an even broader set of targets and operations. Also on Monday, The Citizen Lab, part of the Munk School of Global Affairs, [similarly published a report tracking](<https://citizenlab.org/2016/04/between-hong-kong-and-burma/>) advanced persistence threats targeting Hong Kong and Myanmar/Burman democracy activists.\n", "modified": "2016-04-19T01:45:15", "published": "2016-04-19T07:00:14", "id": "THREATPOST:DB438BDD32A19C608E74D09992D53881", "href": "https://threatpost.com/apt-targeting-tibetans-packs-four-vulnerabilities-in-one-compromise/117493/", "type": "threatpost", "title": "APT Threat Targets Tibetans, Journalists and Human Rights Workers", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2017-06-30T15:02:31", "bulletinFamily": "blog", "description": "\n\nIn late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team ([Kaspersky Lab ICS CERT](<https://ics-cert.kaspersky.com/>)) reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors. As further research demonstrated, this was just part of a bigger story that began much earlier and is unlikely to end any time soon.\n\n## Targeted Attack\n\nIn October 2016, Kaspersky Lab products detected a surge in malware infection attempts on the computers of our customers who had industrial control systems installed. The malware used in these attacks was a specific modification of an exploit for a vulnerability dating back to 2015. \n\nFurther analysis of the incident led us to phishing messages disguised as business correspondence that were used to distribute the exploit.\n\nPhishers have long since discovered the advantages of attacking companies (they obviously have much more money in their accounts than ordinary users and they usually conduct much larger transactions than individuals). The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought.\n\nIn this case, we were dealing with well crafted phishing messages that targeted not only commercial organizations but, in most cases, industrial enterprises. All in all, we discovered over 500 attacked companies in more than 50 countries. Most of these companies are industrial enterprises and large transportation and logistics corporations.\n\n[](<https://securelist.com/files/2017/06/Infographics_Nigerian_Phishing_1_map.png>)\n\n## The Emails\n\nThe emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_1.png>)\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_2.png>)\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_3.png>)\n\n**_Examples of phishing emails_**\n\nThe phishers clearly tried hard to make their fake messages look very convincing to the employees of targeted companies. We have seen attachments with names such as \"Energy & Industrial Solutions W.L.L_pdf\", \"Woodeck Specifications best Prices Quote.uue\" and \"Saudi Aramco Quotation Request for October 2016\".\n\n### Malicious Files\n\nAll the emails had malicious attachments: RTF files with an exploit for the [CVE-2015-1641](<https://technet.microsoft.com/en-us/library/security/ms15-033.aspx>) vulnerability, archives of different formats containing malicious executable files, as well as documents with macros and OLE objects designed to download malicious executable files.\n\nIn late 2016, our mail antivirus solutions detected between several hundred and several thousand emails per day containing given exploit for CVE-2015-1641.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_4.gif>)\n\n_Number of daily mail antivirus detections \nof the exploit for CVE-2015-1641 (Exploit.MSWord.Agent.hp)_\n\nA characteristic feature of such phishing campaigns is that the number of emails sent varies depending on the day of the week: fewer emails are sent on weekends than weekdays. \n\nThe malware used in these attacks belonged to families that are popular among cybercriminals, such as ZeuS, Pony/FareIT, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, and iSpy keylogger. The phishers selected a toolset that included the functionality they needed, choosing from malware available on cybercriminal forums. At the same time, the malware was packed using VB and .NET packers \u2013 a distinct feature of this campaign. To evade detection by security tools, the malicious files were regularly repacked using new modifications of the same packers.\n\nThe attackers used malware belonging to at least eight different Trojan-Spy and Backdoor families. All malicious programs selected for these attacks are designed primarily to steal confidential data and install stealthy remote administration tools on infected systems.\n\n### Domains Used by the Attackers\n\nWhen we extracted C&C addresses from the detected malicious files, it turned out that in some cases the same resources were used as command-and-control servers for malware from different families. From this, it can be concluded that either there is one cybercriminal group behind these attacks, using different malware families, or different groups are cooperating closely with each other and using the same C&C to communicate to \"their\" malware.\n\nThe domain names of some of the malware command-and-control servers used by the attackers mimicked domain names used by industrial companies \u2013 more proof that the attacks were primarily targeting industrial companies.\n\nAn analysis of these domain names sheds light on the tactics used by the phishers. They try to register the same domain name as the targeted company's legitimate resource, but in a different top-level domain. If this is impossible, the attackers register a domain with a name that looks very similar to the legitimate domain's name (a standard technique is to replace one or more characters). We have also seen another technique used in these attacks: the domain name is made up of the legitimate site's name and the name of its top-level domain.\n\n**Malware CnC** | **Real industrial company site** \n---|--- \nhi***quil-ar.com | hi***quil.com.ar \nem***uae.com | em***u.ae \nlus***lt.com | lus***lt.pt \n \n_Phishing domain names mimicking legitimate domain names_\n\nIn some cases, the attackers gained unauthorized access to the legitimate websites of industrial companies and used them as a platform for hosting malware and C&C servers. The websites were accessed using credentials stolen earlier from infected computers used by the companies' employees.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_5.png>)\n\n_Compromised legitimate site_\n\nIn the course of our investigation we found that, according to the publicly available information provided by Whois services, most domains used for malware C&C servers were registered to residents of Nigeria. All indications are that these were business email compromise (BEC) attacks that have come to be associated with Nigerian cybercriminals.\n\n### Attack Scenario\n\nBusiness email compromise attacks are [well-known](<https://www.ic3.gov/media/2016/160614.aspx>). Several scenarios for these attacks have been described to date. Some of these scenarios were used in the targeted attacks we have been investigating.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_6.png>)\n\n_Attack outline_\n\nIn the first stage, phishers send emails with malicious attachments \u2013 Trojan-Spies or Backdoors. All malware used is available on the black market. It is worth noting that a complete set of malware for carrying out this type of attack usually costs no more than US$200.\n\nAmong other things, we have discovered messages sent using compromised email accounts of company employees, in which cybercriminals sent malicious attachments to corporate addresses at other companies. \n\nAfter infecting a corporate computer, the attackers are able to make screenshots of the correspondence using malware or set up hidden redirection of messages from the attacked computer's mailbox to their own mailbox. This enables them to track which transactions are being prepared in the company.\n\nAfter selecting the most promising transaction among those in the pipeline, the attackers register domain names that are very similar to the names of the seller companies. Using the newly registered domains, the cybercriminals are able to carry out a man-in-the-middle attack: they intercept the email with the seller's invoice and forward it to the buyer after replacing the seller's account details with the details of an account belonging to the attackers. Alternatively, they can send a request on behalf of the seller for an urgent change of bank details in addition to the seller's legitimate email containing the invoice.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_7.png>)\n\n_Hijacking the correspondence between the seller and the buyer using a phishing email address_\n\nAnother option for the cybercriminals is to send the emails on behalf of a seller with spoofed email header in such a way that it points to the seller's legitimate mailbox as a sender. It's worth saying that this way of sending emails is less reliable as some programs and mail servers can reveal the replacement.\n\nIn any event the chances of the recipient never suspecting anything and the criminals getting the money are very high.\n\n## Nigerian Fishing\n\n'Nigerian letters' (a.k.a. 419 scams) have become classics of online fraud. The creators of fascinating stories about heiresses/widows/secretaries/lawyers of deceased millionaires/disgraced dictators/other fat cats didn't [win the Ig Nobel Prize for literature in 2005](<https://en.wikipedia.org/wiki/List_of_Ig_Nobel_Prize_winners#2005>) for nothing. They may not be very highly qualified, but they certainly have a talent for extortion, and may well have been profiting from the greed and gullibility of their victims for years.\n\nSeveral years ago, Nigerian phishers appeared on the radar of researchers. They were the same scammers who specialized in so-called Nigerian letters, but at the same time they were mastering new techniques for stealing money \u2013 this time, from companies. They are usually the ones behind business email compromise attacks. \n\nThere have been a good many publications on phishing attacks by Nigerian fraudsters in the past three years. This is no coincidence: this relatively new type of criminal business is gaining momentum. According to FBI estimates, [the damage from Nigerian phisher activity](<https://www.ic3.gov/media/2016/160614.aspx>) from October 2013 to May 2016 exceeded US$3 billion and the number of affected companies was as high as 22,143. Those companies are scattered across 79 countries of the world.\n\nIn 2013-2015, mostly small and medium-size companies were attacked. The phishers gathered the email addresses of potential victims on the Internet.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_8.png>)\n\n_Cybercriminals exchanging addresses for phishing email distribution. Most addresses are on publicly available email services_\n\nSince the fraudsters are interested primarily in companies that buy and sell, they use resources such as Alibaba. \n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_9.png>)\n\n_Message with spoofed header and replaced banking details allegedly sent from Alibaba seller's legitimate email_\n\nPhishers also buy databases of email addresses that are of interest to them. Addresses belonging to different categories of company are available on the black market. Relatively small industrial companies are among those targeted by phishers.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_10.png>)\n\n_An offer to buy categorized email addresses sent to a Nigerian phisher_\n\nClearly, targeted attacks focusing on specific regions already took place in 2015. The screenshot below shows a message that confirms the purchase of a database of UAE company addresses by a Nigerian phisher. This purchase set the cybercriminal back $99.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_11.png>)\n\n_Purchase of an email address database for attacks on UAE companies by a Nigerian phisher _\n\nSome cybercriminals are prepared to pay a small fortune for email addresses:\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_12.png>)\n\n_Purchase of corporate data by a Nigerian phisher for $995_\n\n### Hunting the Big Phish\n\nCybercriminals want to steal as much money as possible in one go. As a result, the companies attacked in 2016 included some major corporations.\n\nThe average value of a sales transaction can be quite high for a large company. Apparently, Nigerian hackers took note of this in 2016. We believe that a group of Nigerian phishers (or several groups working together) chose industrial and transportation companies as their main targets in 2016.\n\nFor example, Palo Alto Networks published two reports in [June 2015](<http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/>) and [February 2016](<http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/>) based on their analysis of phishing attacks against companies. These reports painted a familiar picture: Nigerian attackers targeted phishing emails and malware that steals confidential data \u2013 a Trojan-Spy called KeyBase was used in those attacks. Remarkably, unlike the 2015 attack, the 2016 attack targeted primarily industrial companies.\n\nIn August 2016, our colleague studied a series of phishing attacks that he dubbed [Operation Ghoul](<https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/>). Operation Ghoul also made use of targeted phishing emails that contained malware designed to steal authentication credentials from different applications, including KeyBase. That operation in fact had much in common with the targeted attacks that we detected in the fall of 2016. In both cases, the attacks targeted mostly industrial companies and the texts of phishing emails and attached files were very similar. We also noticed fake emails sent in both campaigns on behalf of the same sender \u2013 Emirates NDB Bank. Finally, in the Operation Ghoul attacks we found files packed with a specific .NET packer (sold on hacker forums as Data Protector) that was one of the markers of the attacks we uncovered.\n\nIn the attacks analyzed by Kaspersky Lab, **industrial companies account for over 80%** of potential victims.\n\n### Potential Losses\n\nNigerian phishing attacks are particularly dangerous for industrial companies. In the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time. This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work. \n\nHowever, there are other possible consequences, as well. The spyware programs used by phishers send a variety of information from infected machines to their command-and-control servers. \n\nWe analyzed data from some command-and-control servers used in 2017 attacks. The amount and contents of data obtained by Nigerian phishers is truly disturbing. Cybercriminals have gained access to information on industrial companies' operations and main assets, including information on contracts and projects.\n\nFor example, screenshots found on malware command-and-control servers included various cost estimates and project plans for some of the current projects at victim enterprises.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_13.png>) | [](<https://securelist.com/files/2017/05/ics_phishing_en_14.png>) \n---|--- \n \n_Screenshots from infected computers_\n\nWe also found screenshots that were clearly not made on the computers of project managers or procurement managers, but rather on the workstations of operators, engineers, designers and architects. They show, among other things, technical drawings, floor plans, diagrams showing the structure of electrical and information networks.\n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_15.png>) | [](<https://securelist.com/files/2017/05/ics_phishing_en_16.png>) \n---|--- \n[](<https://securelist.com/files/2017/05/ics_phishing_en_17.png>) | [](<https://securelist.com/files/2017/05/ics_phishing_en_18.png>) \n[](<https://securelist.com/files/2017/05/ics_phishing_en_19.png>) \n \n_Screenshots from infected computers_\n\nClearly, this is not needed to carry out the cybercriminals' Nigerian scams. What do they do with this information? Do they destroy it after completing an attack? Could someone order the theft of data from a specific company?\n\nSo far, we have not seen any of the information stolen by Nigerian cybercriminals on the black market. However, it is clear that, for the companies being attacked, in addition to the direct financial loss a Nigerian phishing attack poses other, possibly more serious, threats.\n\nThis malicious phishing campaign is ongoing and is unlikely to cease in the foreseeable future. \n\n[](<https://securelist.com/files/2017/05/ics_phishing_en_20.png>)\n\n_Phishing attacks agains industrial companies continue_\n\nNigerian phishing is clearly a profitable type of cybercrime that does not require significant financial investment or a high level of technical knowledge. It appears that Nigerian threat actors don't face stiff competition, at least for now: they readily share information as well as command-and-control servers used by malware. However, as in the case of Nigerian letter scams, this type of cybercriminal activity, can easily be adopted by other criminals. That is if they haven't already done so, of course.\n\n## P.S. The Hidden Threat\n\nAnd last \u2013 though by no means least \u2013 it is very dangerous if as a result of an infection cybercriminals gain access to computers that are part of an industrial control system (ICS). In such cases, they can gain remote access to the ICS and unauthorized control over industrial processes.\n\nRemote access to SCADA machines enables attackers to simply switch industrial equipment off or change its settings. There are known cases of hackers changing the parameters of an industrial process without any obvious malicious intent \u2013 simply out of curiosity. In 2016, Verizon published data breach digest describes several attacks investigated by the company, including one aimed at the systems of an unnamed US water utility. In the course of the attack, the cybercriminals managed to infiltrate the control system and change the amounts of chemicals used to treat tap water and the flow rate. At the same time, according to Verizon experts, the hackers didn't understand what the results of the changes they were making would be and changed the settings randomly. In this context, it has to be hoped that the interests of Nigerian phishers will be limited to stealing money and that they won't tamper with ICS controls.\n\nUnfortunately, there is no guarantee that people who want to carry out acts of sabotage will not gain access to computers in industrial enterprises, including SCADA systems.\n\n## Protection Measures\n\nThe following measures are needed to mitigate attacks which involve social engineering techniques: \n\n * Regularly brief employees on security rules when working with email and the Internet. Train employees in the basic rules of cyber-hygiene, such as not opening suspicious links and attachments, carefully checking sender and recipient addresses, company names and the actual domain names from which messages were sent.\n * Inform employees not only about the tools that can be used by cybercriminals, but also about the fraudulent schemes they use.\n * In the course of conducting a transaction, if an unexpected request is received from the seller to change the bank details, payment methods or other parameters of the transaction, it is best to contact the seller by phone or using other methods unrelated to email and ask for confirmation of the changes. \n\nThe following protection measures are recommended to minimize the risk of infection and any damage from attacks: \n\n * Install a security solution on all workstations and servers where possible.\n * Keep security software, signature databases, heuristic and decision rule databases up to date.\n * Where possible, install operating system and software updates without delay.\n * In the event of a system being compromised, change the passwords for all accounts used on that system.\n * Promptly send suspicious emails, attachments and domain names for analysis to highly qualified experts, such as Kaspersky Lab ICS CERT experts.\n\nOn industrial information systems, whose composition and configuration cannot be changed quickly, the greatest effect can be achieved by using application startup control and device control technologies in whitelisting mode in combination with application behavior control technologies and protection against network attacks. We also recommend the following measures:\n\n * Install tools that provide passive monitoring of network activity on the industrial network, capable of detecting newly connected devices, suspicious network connections, and malware network communication. These tools will help to detect and monitor attempts by threat actors to penetrate the enterprise's network. Importantly, some of these tools are very easy to install and do not require the composition or configuration of the industrial control systems to be changed in any way.\n * Install tools that provide deep analysis of network traffic on the industrial network and detection of commands that can potentially disrupt the industrial process. Using this class of system is absolutely necessary for the detection and timely prevention of advanced attacks designed to physically damage an enterprise's systems and carried out by highly qualified external or internal threat actors. This type of technology can also be implemented passively, without any impact on the operation of industrial control systems.\n * Minimize the range and quantity of software products used in ICS segments.\n * Restrict the use of computers that are part of an ICS for purposes unrelated to the industrial processes. These measures can be implemented using application startup control tools included in endpoint security solutions.\n\nHigh-quality and properly configured security solutions help to protect an enterprise against the vast majority of chance infections and many targeted attacks, especially those carried out using tools that are not particularly sophisticated.", "modified": "2017-06-15T09:00:04", "published": "2017-06-15T09:00:04", "href": "https://securelist.com/nigerian-phishing-industrial-companies-under-attack/78565/", "id": "SECURELIST:FD260953F9A253DA440959CABD79EDE3", "title": "Nigerian phishing: Industrial companies under attack", "type": "securelist", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-31T05:33:27", "bulletinFamily": "blog", "description": "\n\nWe're already used to the fact that complex cyberattacks use [0-day](<https://securelist.com/threats/zero-day-exploit-glossary/?utm_source=securelist&utm_medium=blog>) vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago \u2013 we named it 'Microcin' after _microini,_ one of the malicious components used in it.\n\nWe detected a suspicious RTF file. The document contained an [exploit](<https://securelist.com/threats/exploit-glossary/?utm_source=securelist&utm_medium=blog>) to the previously known and patched vulnerability [CVE-2015-1641](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1641>); however, its code had been modified considerably. Remarkably, the malicious document was delivered via websites that targeted a very narrow audience, so we suspected early on that we were dealing with a targeted attack. The threat actors took aim at users visiting forums with discussions on the state-subsidized housing that Russian military personnel and their families are entitled to.\n\n[](<https://securelist.com/files/2017/09/170925-microcin.png>)\n\nA forum post with a link to the malicious document\n\nThis approach appears to be very effective, as it substantially increases the chance that a potential victim will download and open the malicious document: the hosting forum is legitimate, and the malicious document is named accordingly (\"Housing acceptance procedure\" in Russian).\n\nAll links in the forum messages lead to the URL address files[.]maintr**plus[.]com, where the RTF document with the exploit was hosted. The threat actors sometimes used PPT files containing an executable PE file which did not contain the exploit, as the [payload](<https://securelist.com/threats/payload-glossary/?utm_source=securelist&utm_medium=blog>) was launched by a script embedded into the PPT file.\n\nIf a Microsoft Office vulnerability is successfully exploited, the exploit creates an executable PE file on the hard drive and launches it for execution. The malicious program is a platform used to deploy extra (add-on) malicious modules, store them stealthily and thus add new capabilities for the threat actors. The attack unfolds in several stages, as described below:\n\n 1. The exploit is activated, and an appropriate (32-bit or 64-bit) version of the malicious program is installed on the victim computer, depending on the type of operating system installed on it. To do this installation, malicious code is injected into the system process 'explorer.exe' rather than into its memory. The malicious program has a modular structure: its main body is stored in the registry, while its add-on modules are downloaded following the instruction arriving from the C&C server. DLL hijacking (use of a modified system library) is used to ensure that the main module is launched each time the system is rebooted.\n 2. The main module of the malicious program receives an instruction to download and launch add-on modules, which opens new capabilities for the threat actors.\n 3. The malicious add-on modules provide opportunities to control the victim system, take screenshots of windows and intercept information entered from the keyboard. We have seen them in other cyber-espionage campaigns as well.\n 4. The threat actors use PowerSploit, a modified set of PowerShell scripts, and various utilities to steal files and passwords found on the victim computer.\n\nThe cybercriminals were primarily interested in .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf files on the victim computers. The harvested files were packed into a password-protected archive and sent to the threat actors' server.\n\nOverall, the tactics, techniques and procedures that the cybercriminals used in their attacks can hardly be considered complicated or expensive. However, there were a few things that caught our eye:\n\n * The payload (at least one of the modules) is delivered using [some simple steganography](<https://securelist.com/steganography-in-contemporary-cyberattacks/79276/>). Within traffic, it looks like a download of a regular JPEG image; however, the encrypted payload is loaded immediately after the image data. Microcin searches for a special 'ABCD' label in such a file; it is followed by a special structure, after which the payload comes, to be decrypted by Microcin. This way, new, platform-independent code and/or PE files can be delivered.\n * If the Microcin installer detects the processes of some anti-malware programs running in the system, then, during installation, it skips the step of injecting into 'explorer.exe', and the modified system library used for establishing the malicious program within the system is placed into the folder %WINDIR%; to do this, the system app 'wusa.exe' is used with the parameter \"/extract\" (on operating systems with UAC).\n\n## Conclusion\n\nNo fundamentally new technologies are used in this malicious campaign, be it 0-day vulnerabilities or innovations in invasion or camouflaging techniques. The threat actors' toolkit includes the following:\n\n * A watering hole attack with a Microsoft Office exploit;\n * Fileless storage of the main set of malicious functions (i.e., the shellcode) and the add-on modules;\n * Invasion into a system process without injecting code into its memory;\n * DLL hijacking applied to a system process as a means of ensuring automatic launch that does not leave any traces in the registry's autorun keys.\n\nThe attackers also make use of PowerShell scripts that are used extensively in penetration tests. We have seen backdoors being used in different targeted attacks, while PowerSploit is an open-source project. However, cybercriminals can use known technologies as well to achieve their goals.\n\nThe most interesting part of this malicious campaign, in our view, is the attack vectors used in it. The organizations that are likely to find themselves on the cybercriminals' target lists often do not pay any attention to these vectors.\n\nFirst, if your corporate infrastructure is well protected and therefore 'expensive' to attack (i.e., an attack may require expensive 0-day exploits and other complicated tools), then the attackers will most likely attempt to attack your rank-and-file employees. This step follows a simple logic: an employee's personal IT resources (such as his/her computer or mobile device) may become the 'door' leading into your corporate perimeter without the need of launching a direct attack. Therefore, it is important for organizations to inform their employees about the existing cyber threats and how they work.\n\nSecond, Microcin is just one out of a multitude of malicious campaigns that use tools and methods that are difficult to detect using standard or even corporate-class security solutions. Therefore, we recommend that large corporations and government agencies use comprehensive security solutions to protect against targeted attacks. These products are capable of detecting an ongoing attack, even if it employs only a minimum of manifestly malicious tools, as the attackers instead seek to use legal tools for penetration testing, remote control and other tasks.\n\nThe implementation of a comprehensive security system can substantially reduce the risk of the organization falling victim to a targeted attack, even though it is still unknown at the time of the attack. There is no way around it; without proper protection, your secrets may be stolen, and information is often more valuable than the cost of its reliable protection.\n\nFor more details of this malicious attack, [please read Attachment](<https://securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf>) (PDF).", "modified": "2017-09-25T12:23:47", "published": "2017-09-25T12:23:47", "id": "SECURELIST:D5FF48D3F16D23612E466F29C9C5B63B", "href": "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "title": "A simple example of a complex cyberattack", "type": "securelist", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T06:18:09", "bulletinFamily": "exploit", "description": "Microsoft Word Local Machine Zone Remote Code Execution Vulnerability. CVE-2015-0097. Local exploit for windows platform", "modified": "2015-07-20T00:00:00", "published": "2015-07-20T00:00:00", "id": "EDB-ID:37657", "href": "https://www.exploit-db.com/exploits/37657/", "type": "exploitdb", "title": "Microsoft Word Local Machine Zone Remote Code Execution Vulnerability", "sourceData": "Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability\r\nDate: July 15th, 2015\r\nExploit Author: Eduardo Braun Prado\r\nVendor Homepage : http://www.microsoft.com\r\nVersion: 2007\r\nTested on: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1\r\nCVE: \tCVE-2015-0097\r\n\r\nOriginal Advisory: https://technet.microsoft.com/library/security/ms15-022\r\n\r\nMicrosoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible \r\nto reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context \r\nof the local machine zone of Internet Explorer which leads to arbitrary code execution. \r\nBy persuading users into opening eg. specially crafted .WPS, \".doc \", \".RTF \" (with a space at the end) \r\nit is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user.\r\n\r\nExploit code here :\r\n\r\nhttps://onedrive.live.com/embed?cid=412A36B6D0A9436A&resid=412A36B6D0A9436A%21156&authkey=AA_JVoZcoM5kvOc\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37657.zip", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37657/"}], "zdt": [{"lastseen": "2018-02-20T05:28:04", "bulletinFamily": "exploit", "description": "Microsoft Word, Excel, and Powerpoint 2007 contain a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution. By persuading users into opening eg. specially crafted .WPS, \".doc \", \".RTF \" (with a space at the end) it is possible to trigger the vulnerability and run arbitrary code in the context of the logged on Windows user.", "modified": "2015-07-21T00:00:00", "published": "2015-07-21T00:00:00", "id": "1337DAY-ID-23902", "href": "https://0day.today/exploit/description/23902", "type": "zdt", "title": "Microsoft Word Local Machine Zone Remote Code Execution Vulnerability", "sourceData": "Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability\r\nDate: July 15th, 2015\r\nExploit Author: Eduardo Braun Prado\r\nVendor Homepage : http://www.microsoft.com\r\nVersion: 2007\r\nTested on: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1\r\nCVE: CVE-2015-0097\r\n \r\nOriginal Advisory: https://technet.microsoft.com/library/security/ms15-022\r\n \r\nMicrosoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible \r\nto reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context \r\nof the local machine zone of Internet Explorer which leads to arbitrary code execution. \r\nBy persuading users into opening eg. specially crafted .WPS, \".doc \", \".RTF \" (with a space at the end) \r\nit is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user.\r\n \r\nExploit code here :\r\n \r\nhttps://onedrive.live.com/embed?cid=412A36B6D0A9436A&resid=412A36B6D0A9436A%21156&authkey=AA_JVoZcoM5kvOc\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37657.zip\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23902"}], "carbonblack": [{"lastseen": "2018-01-27T15:59:21", "bulletinFamily": "blog", "description": "The Pylot (or Travle) malware family appears to be an evolution of the NetTravler malware family (which has been [linked](<https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests>) to attackers out of China by numerous sources). Over the last year a variant has been observed as a secondary payload often used in conjunction with malicious carrier files (typically MS Office or Rich Text Format (RTF) documents).\n\nThe Pylot malware has been observed being installed via shellcode from known CVEs in Office products as well as by malware loaders (or first stage malware variants, specifically the CMStar malware family). In late 2017 samples of the Pylot family were submitted, by customers, to the Carbon Black Threat Analysis Unit (TAU) as part of ongoing investigation. Analysis details were provided to the submitting organizations and detection capabilities were provided in the [Carbon Black User Exchange](<https://community.carbonblack.com/docs/DOC-11666>).\n\nAfter external request, Carbon Black is making the analysis (and associated signatures and scripts) available in this blog to assist any researchers or practitioners that may be investigating this malware family. \n\n## **Technical Analysis**\n\nThe following table list the metadata for the files that were a were analyzed for the first scenario. \n\n**RTF Carrier File** \n \n--- \n \nSHA256\n\n| \n\n79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3 \n \nRevision time\n\n| \n\n11/20/15 1:45 \n \nAuthor\n\n| \n\nHCL \n \nNumber of pages\n\n| \n\n1 \n \nCreation time\n\n| \n\n11/20/15 1:45 \n \nNumber of words\n\n| \n\n2 \n \nVersion\n\n| \n\n1 \n \nOperator\n\n| \n\nHCL \n \n**Pylot Sample 1** \n \nFile Name : Pylot_sample.dll\n\nFile Size : 208,154 bytes\n\nMD5 : f456d82e4815ce381d6d1bf23322aca6\n\nSHA1 : 2535558d28b5431e41fd8e1eb88dbc099d74a7c5\n\nSHA256 : 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6\n\nFuzzy : 3072:zPNKts9RnF3Xo+T/pJbiFLxfZubTHPKorZShP/UB+zvkpdISZQM4ED:x9RlXo+LPmLQbTHPpZSlUBy+IM4ED\n\nCompiled Time : Wed Jan 27 13:18:46 2016 UTC\n\nPE Sections (5) : Name Size MD5\n\n.text 147,968 5b3872364e2efbb4e83966ea9c2f48b9\n\n.rdata 35,840 c17dec1fc11e3134c03a993f3509699a\n\n.data 4,608 100820dd666d8eeca7c7ff43ab9552b8\n\n.rsrc 5,120 8c96d665232c7e447ac6131b479a0af6\n\n.reloc 20,992 439f3ea4d036d3aab2d23e675dcd8e13\n\n\\+ 0x34a00 0 d41d8cd98f00b204e9800998ecf8427e None\n\nOriginal DLL : pilot.dll\n\nDLL Exports (1) : Ordinal Name\n\n1 MSOHost\n\nMagic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit \n \n**_Table 1: File Metadata_**\n\n## **Carrier File Scenario 1**\n\nThe RTF document that is listed in the table above attempts to exploit an older CVE ([cve-2014-1761](<https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761>)), to ultimately execute shell code. The image below is a screen shot of the RTF document. The area highlighted in red, is the list override exploit, that is referenced in the above CVE link. The data highlighted in yellow is the shellcode and encoded payload. Even though the shellcode is obfuscated, there are still some stings present, that are used by the shellcode to create and entrench the file on an infected system (which are highlighted in green).\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2018/01/Figure_1-1.png>)_**Figure 1: RTF visualization**_\n\n## **Shellcode**\n\nThe shellcode, as it is written in the RTF file, is obfuscated to lessen the likelihood of detection and make analysis more difficult. The shellcode will perform a couple of basic commands to clear registers that will be utilized, and a portion of its data (0x325 bytes) is XORed with the value 0x9E (highlighted in red in the image below). Once this is complete it will continue with the execution flow. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2018/01/Figure_2-1.png>)_**Figure 2: Decoding Routine**_\n\nThe shellcode is a straightforward loader which will ultimately decode the payload, and write the file to disk. The shellcode will also entrench the malicious payload in a typical location used by malware for entrenchment (Software\\Microsoft\\Windows\\CurrentVersion\\Run), before using rundll32.exe to initially execute the binary.\n\nThe shellcode uses a name hashing function (a common technique in shell code), where the code will first locate the process environment block (PEB) from the thread information block (TIB), which is highlighted in red below. This is used to locate the list of loaded modules (doubly-linked). The shellcode will then take each entry and normalize the string name, by making all of the characters in the module name uppercase (highlighted in green). The characters of the module name are then rotated right by 13 and added together, and then compared to a hard coded value for Kernel32.dll (highlighted in blue). Once the target module is located in memory it can be called with the appropriate arguments.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2018/01/Figure_3-1.png>)_**Figure 3: Name hashing function**_\n\nThe snippet of python code below can be used with a list of common module names to determine the string values of the hardcode values used with this variant.\n\ndef ror(val, r_bits, max_bits):\n\nout = ((val & (2**max_bits-1)) >> r_bits % max_bits) | (val << (max_bits-(r_bits % max_bits)) & (2**max_bits-1))\n\nreturn out\n\ndef hash_string(proc_name):\n\nname_hash = 0\n\nfor x in proc_name:\n\nx = ord(x)\n\nif x >= 97: #0x61\n\nx = x - 32 #normalize to uppercase\n\nback = ror(name_hash, 13, 32) #ROR 0x0D\n\nname_hash = back + x & 0xFFFFFFFF # add that value to original char\n\nreturn name_hash \n \n--- \n \n**_Table 2: **Python implementation of name hashing algorithm**_**\n\nIn this sample the malicious payload will be written to disk as comctl32.dll, and the shellcode will utilize rundll32.exe to execute the payload calling the MSOHost export. The malware will then run and communicate with a hard coded C2 that is contained inside the configuration block that is characteristic for the Pylot family. A python script was written to parse a pylot variant executable and extract the relevant configuration information. The script is attached to this post. An example of the output can be seen in the table below. The [previous analysis](<https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/>) by Kaspersky Labs, detailed the overall functionality of pylot family.\n\n[!] Resource Located\n\nName: RAW_DATA\n\n[+]Decoding Configuration\u2026\n\nPrimary C2 : young.aviodyoung.com\n\nSecondary C2 : Not Used\n\nURL Path 1 : /vgs/wksur.py\n\nURL Path 2 : Not Used\n\nC2 Port 1 : Not Used\n\nC2 Port 2 : 80\n\nCampaign ID : xcvwerx\n\nSample ID : qTyx0736R\n\nPrimary RC4 key : MTzXBLRfWOpcjsKZGUbS\n\nSecondary RC4 key : MTzXBLRfWOpcjsKZGUbS\n\nBeacon Timer : 60000 milliseconds \n \n--- \n \n_**Table 3: Pylot configuration output**_\n\n## Carrier File Scenario 2\n\nThe following table list the metadata for the initial carrier file that was analyzed for the second scenario.\n\n**RTF Carrier File** \n \n--- \n \nSHA256\n\n| \n\n6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786 \n \nRevision time\n\n| \n\n2016-11-08 08:47:00 \n \nAuthor\n\n| \n\nShaimenova \n \nCompany\n\n| \n\nparliament \n \nNumber of pages\n\n| \n\n9 \n \nCreation time\n\n| \n\n2016-11-08 08:47:00 \n \nNumber of words\n\n| \n\n1586 \n \nVersion\n\n| \n\n2 \n \nOperator\n\n| \n\nAutoBVT \n \n**CMStar Sample 1 Loader** \n \nFile Name : CMStar_sample.exe\n\nFile Size : 77,824 bytes\n\nMD5 : 7ce99c26ee05efb81c3a123152ccce5e\n\nSHA1 : 3be63458fe1298b0ebf36e019a895519fd96fb22\n\nSHA256 : 928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d\n\nFuzzy : 1536:nPLpKSgx0fEYLwOAXhENg7Ofp15yUxBix1Y:PLE0fEYL/KVaryNY\n\nCompiled Time : Thu Oct 20 07:00:38 2016 UTC\n\nPE Sections (4) : Name Size MD5\n\n.text 12,288 b0001edc7a3ebc2cb52944a7aa61293d\n\n.rdata 4,096 a1ffda038f8171993651bed5f7547b96\n\n.data 4,096 3eae055efca4b7f380118d3320dcde5f\n\n.rsrc 53,248 880b916c741d16b6f46f58c1107cca7d\n\nMagic : PE32 executable for MS Windows (GUI) Intel 80386 32-bit \n \n_**Table 4: RTF and CMStar metadata**_\n\nThe carrier file for this scenario is also a RTF document and will attempt to exploit [cve-2015-1641](<https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1641>). If successfully exploited the shellcode will decode a malicious payload (which is encoded using the same method as in the first scenario. This executable is then written to disk, and is a CMStar variant loader (listed in the table above). This loader will extract a resource that is named 12358, and decode the file (XOR 0x30), before writing it to disk. The loader will then execute rundll32.exe, calling the MSOProtect export of the CMStar variant. The metadata for the CMStar payload is listed in the table below.\n\n**CMStar Sample 1 Payload** \n \n--- \n \nFile Name : Resource_decoded.dll\n\nFile Size : 50,688 bytes\n\nMD5 : cc018500132a811e1f7d4d54763f6ab1\n\nSHA1 : dd048ab61a8591ce4d14e9bc5a7b34e6996501f0\n\nSHA256 : fab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201\n\nFuzzy : 768:5WPPGyX/nibX/44zMLiuTXVR4Gcfd25hH1fzQMo6llRc:nyXPiL9uTXVR2d25XFl\n\nCompiled Time : Wed Oct 12 12:45:10 2016 UTC\n\nPE Sections (4) : Name Size MD5\n\n.text 29,184 5a823113d6e3589d38f093615598217b\n\n.rdata 4,096 028c81fb15600d1cdf89637bc899eaa3\n\n.data 12,288 8c92626431fbf58dd4357f8e18124c72\n\n.reloc 4,096 a22b36f23cde94d421b40566d6cf36e1\n\nOriginal DLL : UpdateService.tmp\n\nDLL Exports (1) : Ordinal Name\n\n1 MSOProtect\n\nMagic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit \n \n_**Table 5: CMStar payload metadata**_\n\nThe CMStar malware will decode some basic configuration information, necessary to communicate with the C2. The decoding function will copy hard coded strings into memory, and then for each character of the encoded string, subtract a hard code value and the counter value (which is increased for each character). \n\nThe snippet of python code below can be to decode the CMStar related configuration strings. In the example below the \u201cencoded_string\u201d variable a is a list containing the values of one of encoded strings (r\u007f\u20ac}H>?BBKBKGEIQSIMTT), which when decoded is the primary C2.\n\nencoded_string = [0x72,0x7F,0x80,0x7D,0x48,0x3E,0x3F,0x42,0x42,0x4B,0x42,0x4B,0x47,0x45,0x49,0x51,0x53,0x49,0x4D,0x54,0x54]\n\n#http://108.61.189[.]176\n\ni = 0\n\nout = \"\n\nfor x in a:\n\nout = out + chr(x - i - 10)\n\ni = i + 1\n\nprint out \n \n--- \n \n_**Table 6: CMStar Configuration script**_\n\nOnce the strings are decoded the CMStar malware will beacon to http://108.61.189[.]176 and request the file a554L8iVaSIDKYO.dat (hardcoded name). This file is an obfuscated Pylot variant. The image below is an overview of the a554L8iVaSIDKYO.dat file contents, as it would appear when downloaded. \n\nThe dword highlighted in red is a header marker. The next three dword values are all stored as little endian and are used in decoding the payload data which is highlighted in purple.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2018/01/Figure_4.png>)_**Figure 4: Encoded Pylot overview**_\n\nThe obfuscated file is bloated compared to the actual size of the embedded payload. The encoding technique uses a dword of bytes to store 1 byte of actual data. To decode the data, a dword value is read into memory (the first dword 0x33 is 51 decimal) from the data section (highlighted in purple). The second dword value (highlighted in green) is used as the starting seed value (0x01 is 1 decimal). The third dword (highlighted in blue) is used as the number of rounds to perform the modification loop (0x03EB is 1003 decimal). The fourth dword (highlighted in yellow) is used as a modulo value in the modification loop (0x5BD is 1469 decimal). To decode the first byte of data the following python snippet replicates the decoding function.\n\nstart = **51** #dword value from data area\n\noutput = **1** #dword seed value\n\nFor x in range(**1003**): #dword round value\n\nOutput = (output * start) % **1469** #dword modulo value\n\nprint chr(output)\n\n#This results in \u201cM\u201d or the first character in an MZ header \n \n--- \n \n**_Table 7: Python implementation of decoding function_**\n\nThe table below list the metadata for the fully decoded Pylot payload. The CMStar malware will then execute rundll32.exe calling the MSOProtect export to run the Pylot sample.\n\n**Pylot Sample 2** \n \n--- \n \nFile Name : Pylot_sample_2.dll\n\nFile Size : 180,736 bytes\n\nMD5 : d5c679df69751936d0fa380f2e4bf017\n\nSHA1 : 2488d05f619124ef56a802407745579a02d0d36e\n\nSHA256 : c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a\n\nFuzzy : 3072:F0KN9+4oQQh/gspsXTrzh+lYHUUd5U5+:f9+4oRHEJk95+\n\nCompiled Time : Mon Nov 07 03:10:36 2016 UTC\n\nPE Sections (5) : Name Size MD5\n\n.text 124,416 ed3027599e9cffb50c4dcbdc01582fc1\n\n.rdata 33,792 a1d51a7f4cddb3189168f0b3b09047fd\n\n.data 4,608 36ed52fc43b3ae5cb504a8976c8e5d02\n\n.rsrc 5,120 ab29ae998157877652d20952075c1bd2\n\n.reloc 11,776 05e1f820b39bbe58d609e0b2a3f78905\n\nOriginal DLL : pilot.dll\n\nDLL Exports (1) : Ordinal Name\n\n1 MSOProtect\n\nMagic : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit \n \n_**Table 7: Pylot metadata**_\n\nThe configuration information for the above Pylot sample is listed in the table below.\n\n**Pylot Sample 2 Configuration Data** \n \n--- \n \n[!] Resource Located\n\nName: RAW_DATA\n\n[+]Decoding Configuration\u2026\n\nPrimary C2 : pgbkrrq3434.com\n\nSecondary C2 : Not Used\n\nURL Path 1 : /iow/qlmbn.py\n\nURL Path 2 : Not Used\n\nC2 Port 1 : Not Used\n\nC2 Port 2 : 80\n\nCampaign ID : uuqigas\n\nSample ID : fGAka0109\n\nPrimary RC4 key : BBidRotnqQpHfpRTi8cR\n\nSecondary RC4 key : BBidRotnqQpHfpRTi8cR\n\nBeacon Timer : 60000 milliseconds \n \n_**Table 8: Pylot sample 2 configuration**_\n\n# IOCs\n\n## **Yara Signature**\n\n**Yara Signature** \n \n--- \n \nrule pylot_payload_2017_Q4 : TAU pylot\n\n{\n\nmeta:\n\nauthor = \"CarbonBlack TAU\" //JMyers\n\ndate = \"2017-Nov-7\"\n\ndescription = \"Designed to catch pylot payload\"\n\nrule_version = 1\n\nyara_version = \"3.6.0\"\n\nTLP = \"Green\"\n\nexemplar_hashes = \"c20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a, 8c310b5db866c695627d8903c59082a6f7f6eaf49970bcfc3b786b57dbe543b6\"\n\nstrings:\n\n$s1 = \"FindResource\"\n\n$s2 = \"LoadResource\"\n\n$s3 = \"RAW_DATA\" wide\n\n$s4 = \"KB178495.DAT\" wide\n\n$s5 = \"KB887209\" wide\n\n$s6 = \"KB287640\" wide\n\n$s7 = \".decompress\" wide\n\ncondition:\n\nall of them\n\n} \n \n## **Hashes and C2s**\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Context** \n \n---|---|--- \n \n79dc836e7557d8fa39a7a56ff69d98a78ff6494ce49720baee0864bee00f17b3\n\n| \n\nSHA256\n\n| \n\nRTF Carrier File \n \n0d06925ce5d306e94fac4cbbbf67362a\n\n| \n\nMD5 \n \n1d01a78ccfc4b646b46082a7135f6ac5b364010ba0ca10d0ba94b9e48dce8350\n\n| \n\nSHA256\n\n| \n\nPylot Sample 1 \n \nf456d82e4815ce381d6d1bf23322aca6\n\n| \n\nMD5 \n \nyoung.aviodyoung[.]com\n\n| \n\nURL\n\n| \n\nPylot Sample 1 C2 \n \n6d1f5bc52de8458ba1b5ddf1e6957b3ab5e7e8a796356b46588d1c7be458a786\n\n| \n\nSHA256\n\n| \n\nRTF Carrier File \n \n9381a0ef7039409b7354ff9bbd754283\n\n| \n\nMD5 \n \n928efa7e1007633330630bbd7e37ee4843060215c2c825169f12c048099c3f6d\n\n| \n\nSHA256\n\n| \n\nCMStar Loader \n \n7ce99c26ee05efb81c3a123152ccce5e\n\n| \n\nMD5 \n \nfab38d1c785cf81cbef1a424e812ef7a26598f86cd19a389efe327db0e747201\n\n| \n\nSHA256\n\n| \n\nCMStar Sample \n \ncc018500132a811e1f7d4d54763f6ab1\n\n| \n\nMD5 \n \n108.61.189[.]176\n\n| \n\nURL\n\n| \n\nCMStar C2 \n \nc20742df2580795ef8578b38730066c4c50c833f4a83dd4f6dcf9fc327c1904a\n\n| \n\nSHA256\n\n| \n\nPylot Sample 2 \n \nd5c679df69751936d0fa380f2e4bf017\n\n| \n\nMD5 \n \npgbkrrq3434.com\n\n| \n\nURL\n\n| \n\nPylot Sample 2 C2 \n \nThe post [Threat Analysis: Pylot (Travle) Malware Family](<https://www.carbonblack.com/2018/01/26/threat-analysis-pylot-travle-malware-family/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "modified": "2018-01-26T17:46:11", "published": "2018-01-26T17:46:11", "href": "https://www.carbonblack.com/2018/01/26/threat-analysis-pylot-travle-malware-family/", "id": "CARBONBLACK:B16171F3AA4A3A162027FA8750C9D202", "type": "carbonblack", "title": "Threat Analysis: Pylot (Travle) Malware Family", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-12-03T17:44:02", "bulletinFamily": "info", "description": "This is a period of vulnerability to share with you is CVE-2015-1641 learning summary, this vulnerability due to its good versatility and stability claims to have replaced the CVE-2012-0158 trend. The vulnerability is a type confusion class of vulnerability, through which you can achieve arbitrary address of the memory write data, and then according to vulnerability characteristics, combined with some of the typical use of the technique can achieve arbitrary code execution. \nThe vulnerability principle\nThis vulnerability of the common sample is the rtf Document Format File, this point and below, the exploit about, the main reason is the rtf to facilitate construction using components, of course this is not absolute\u3002 However, the vulnerability principle in fact, and rtf Document Format independent, but with the office open xml document format is implementation dependent. This document format of the common word document, expand the name is docx is actually a use the open xml organizations document internal resources after the zip compression package. In fact, the vulnerability of the rtf sample, generally contains 3 docx format file component, wherein the 2 files used to trigger the vulnerability component, the other as an exp component, still is not an absolute one. \n! [](/Article/UploadPic/2016-12/2016123171529970. png? www. myhack58. com! web) \nThe above 3 zip bag is from the rtf file sample in the extracted, as to how to extract here a simple way, the word document there is an Insert object function, you can insert another word document files, this sample is inserted into the 3 docx documents into it and then the main document is saved as rtf Document Format, then this 3 Insert the docx file object in the main file is a section of a 16-ary data, the corresponding 3 files in the 16-ary coding, so you can by a regular expression using Notepad++like editor from the main file in the extracted 16-ary coding:\u201c\\\\\\objdata [0-9a-f\\r\\n]+\u201d, and then by means of some hex editor such as 010edit Save As 3 docx/zip files. After that you can begin to analyze the vulnerability principle, the first second of the target file remove the zip suffix using the office Open, then the word program will directly crash, and in the debugger you can see the crash point is an assignment statement and ecx for a stable memory address value, \u5176\u6307\u5411\u7684\u8303\u56f4\u662f\u6f0f\u6d1e\u5229\u7528\u4f7f\u7528\u5230\u7684\u4e00\u4e2a\u4e3a\u4e86\u7ed5\u8fc7aslr\u7684\u6a21\u5757msvcr71.dll to: \n! [](/Article/UploadPic/2016-12/2016123171529671. png? www. myhack58. com! web) \nThen from the file point of view, plus the zip suffix decompression is as follows: \n! [](/Article/UploadPic/2016-12/2016123171529361. png? www. myhack58. com! web) \nWherein, the word directory is under the document. the xml for the organization of the documentation resource of primary documents, generally the document's text content is also on the inside, and from this file we can find to trigger this vulnerability the main content: \n! [](/Article/UploadPic/2016-12/2016123171530503. png? www. myhack58. com! web) \nAs can be seen in the debugger that appears in the crash point of the ecx value is directly unicode encoding in the smartTag tag element attribute value inside, and the condition is satisfied in the case msvcr71 module has been previously loaded, The follow-up will be a memory copy, and the copy of the destination address according to ecx calculated a value, and copy the data to 0xffffe696 that sub-label moveFromRange*the ID value 4294960790: the \n! [](/Article/UploadPic/2016-12/2016123171530111. png? www. myhack58. com! web) \nThus, by the file as the configuration of the content, the main control two variable values can be simple to achieve arbitrary memory address of the write data function. Of course, we are also more concerned about a focus on this construct the content of the principles is what? You can see this piece of content is a set of open xml closing tags, the outermost layer is the smartTag label, the innermost layer is moveFromRange*label. Respectively, refer to the msdn documentation of the relevant information, to be aware of these tags in detail, where attention to moveFromRange*label displaceByCustomXml Property description: \n! [](/Article/UploadPic/2016-12/2016123171530291. png? www. myhack58. com! web) \nFrom the above figure it can be seen, the attribute specified is replaced by a custom xml tag elements, in other words understand that is moveFromRange*the label of this attribute specifies the parent tag of a customXml object to be replaced. However, from the sample content we did not see the customXml tags, carefully observed a moment customXml tag, and smartTag label instructions after the discovery, the two Label elements not only function with a certain similarity, the internal property of the structure is also more interesting to keep consistent: \n! [](/Article/UploadPic/2016-12/2016123171530419. png? www. myhack58. com! web) \nCan imagine this on the same template out of the twins tag, is He the founder of Microsoft assigned to different jobs, that sometimes Microsoft's own didn't even recognize who is who. In fact, the type confusion vulnerability it is thus, seen above in the debugger the crash position, that is, the word program parses to moveFromRange*label, prepare the internal id of the transfer to which the parent element smartTag\uff08/customXml object\u201cspace\u201dinside it. By back tracking this process and contrast, if it is a normal case of the higher tag for the customXml, the transfer will be carried out once the memory allocation and then copy it to new memory space; and if it is a confusing case, since both objects the essence of the difference, this time directly to the id value of the transfer to the smartTag object has some internal space, the following two cases of code of the tracking sequence contrast figure: \n! [](/Article/UploadPic/2016-12/2016123171530657. png? www. myhack58. com! web) \nSince the two tags inside the attributes of the members have a certain similarity can lead to type confusion, the syntax through an internal check, but the actual parsing process, the object's internal lack of strict check, cause confusion to the smartTag object, parse moveFromRange*when the tag is considered to replace the need of memory space already exists, on the direct use of the wrong location for the copy process, resulting in this can be utilized the security vulnerability. \nConfigured to trigger the vulnerability POC \nAccording to the above principle, the vulnerability occurs in the scene is the word program in the analysis inside custom xml customXml tags there is a replacement marker case, the original moveFromRange*tag is to the tag id is transmitted to the superior customXml object, however, due to the customXml and its brother label smartTag there is a certain similarity, resulting in the customXml tag is replaced with the smartTag occurs when the type of Confusion caused by memory copy vulnerabilities. The following describes how to construct the trigger this vulnerability POC samples, we first make one thing clear, in order to achieve arbitrary memory address, we need to control the two variables are confused after the smartTag tag of element attribute values and moveFromRange*tag id value, they were controlled to overwrite the memory address and memory data, the reverse track at the above-mentioned point of collapse function: \n\n\n**[1] [[2]](<81759_2.htm>) [[3]](<81759_3.htm>) [next](<81759_2.htm>)**\n", "modified": "2016-12-03T00:00:00", "published": "2016-12-03T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/81759.htm", "id": "MYHACK58:62201681759", "type": "myhack58", "title": "Hand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09-bug warning-the black bar safety net", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "title": "How RTF malware evades static signature-based detection", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:05", "bulletinFamily": "info", "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "title": "How RTF malware evades static signature-based detection", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}