Microsoft Office / WordPad Remote Code Execution Vulnerability

2017-04-16T00:00:00
ID 1337DAY-ID-27607
Type zdt
Reporter David Routin
Modified 2017-04-16T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            CVE-2017-0199 Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

===================================================
Vulnerability description
===================================================

A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
(Source: Microsoft https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)

===================================================
Affected versions
===================================================

Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

===================================================
Technical details of exploitation
===================================================

The vulnerability exists in the way that Microsoft Office/Wordpad handle OLEv2 "link to file object".
It is possible to link an HTA file as a OLEv2 Link object by creating a standard "RTF/DOC" file as source, serve it with Content-Type "application/rtf" then modifying this file source with a HTA payload and serve it with content-type "application/hta".

When the exploited document will be opened the hta document will be loaded and the content will be executed by the OLE object (using mshta) handler without any security warning

===================================================
Exploitation of the vulnerability
===================================================

https://rewtin.blogspot.com/2017/04/cve-2017-0199-practical-exploitation-poc.html


===================================================
Author
===================================================

David Routin, Apr 2017

#  0day.today [2018-01-04]  #