Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Office / WordPad Remote Code Execution Vulnerability

🗓️ 16 Apr 2017 00:00:00Reported by David RoutinType 
zdt
 zdt🔗 0day.today👁 820 Views

Microsoft Office/WordPad Remote Code Execution Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2017-0199
24 Apr 201723:44
githubexploit
GithubExploit		Exploit for CVE-2017-0199
15 Aug 202207:15
githubexploit
GithubExploit		Exploit for CVE-2017-0199
18 Apr 201706:33
githubexploit
GithubExploit		Exploit for CVE-2017-8570
8 Apr 201810:07
githubexploit
GithubExploit		Exploit for CVE-2017-0199
23 Apr 201713:58
githubexploit
GithubExploit		Exploit for Code Injection in Microsoft
13 Sep 201715:24
githubexploit
GithubExploit		Exploit for CVE-2022-30190
21 Jan 202611:02
githubexploit
GithubExploit		Exploit for CVE-2017-0199
17 Apr 201708:10
githubexploit
GithubExploit		Exploit for CVE-2017-0199
22 Apr 201704:01
githubexploit
0day.today		Microsoft Word - .RTF Remote Code Execution Exploit
19 Apr 201700:00
zdt
Rows per page
CVE-2017-0199 Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

===================================================
Vulnerability description
===================================================

A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
(Source: Microsoft https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)

===================================================
Affected versions
===================================================

Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

===================================================
Technical details of exploitation
===================================================

The vulnerability exists in the way that Microsoft Office/Wordpad handle OLEv2 "link to file object".
It is possible to link an HTA file as a OLEv2 Link object by creating a standard "RTF/DOC" file as source, serve it with Content-Type "application/rtf" then modifying this file source with a HTA payload and serve it with content-type "application/hta".

When the exploited document will be opened the hta document will be loaded and the content will be executed by the OLE object (using mshta) handler without any security warning

===================================================
Exploitation of the vulnerability
===================================================

https://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html


===================================================
Author
===================================================

David Routin, Apr 2017

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Apr 2017 00:00Current
8.4High risk
Vulners AI Score8.4
EPSS0.94302
microsoft officewordpadremote code executionvulnerabilitycve-2017-0199windows apiexploitationolev2hta filecontent-typeauthordavid routin
820