Vulnerabilities > CVE-2014-1761 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-119
critical
nessus
exploit available
metasploit

Summary

Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionMS14-017 Microsoft Word RTF Object Confusion. CVE-2014-1761. Local exploit for windows platform
idEDB-ID:32793
last seen2016-02-03
modified2014-04-10
published2014-04-10
reportermetasploit
sourcehttps://www.exploit-db.com/download/32793/
titleMicrosoft Word - RTF Object Confusion MS14-017

Metasploit

descriptionThis module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This module was created by reversing a public malware sample.
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/MS14_017_RTF
last seen2020-06-02
modified2018-10-28
published2014-04-08
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms14_017_rtf.rb
titleMS14-017 Microsoft Word RTF Object Confusion

Msbulletin

bulletin_idMS14-017
bulletin_url
date2014-04-08T00:00:00
impactRemote Code Execution
knowledgebase_id2949660
knowledgebase_url
severityCritical
titleVulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS14-017.NASL
    descriptionThe remote Windows host has a version of Microsoft Office, Microsoft Word, Office Compatibility Pack, Microsoft Word Viewer, SharePoint Server, or Microsoft Office Web Apps that is affected by one or more unspecified memory corruption vulnerabilities. By tricking a user into opening a specially crafted file, it may be possible for a remote attacker to take complete control of the system or execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id73413
    published2014-04-08
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73413
    titleMS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
  • NASL familyWindows
    NASL idSMB_KB2953095.NASL
    descriptionThe remote host is missing one of the workarounds referenced in KB 2953095. The remote host has a version of Microsoft Word installed that is potentially affected by a code execution vulnerability due to the way the application handles specially crafted RTF files.
    last seen2017-10-29
    modified2017-08-30
    plugin id73161
    published2014-03-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=73161
    titleMS KB2953095: Vulnerability in Microsoft Word Could Allow Remote Code Execution
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS14-017.NASL
    descriptionThe remote Mac OS X host is running a version of Microsoft Word that is affected by one or more unspecified memory corruption vulnerabilities. By tricking a user into opening a specially crafted file, it may be possible for a remote attacker to take complete control of the system or execute arbitrary code.
    last seen2019-10-28
    modified2014-04-08
    plugin id73414
    published2014-04-08
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73414
    titleMS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) (Mac OS X)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/126071/ms14_017_rtf.rb.txt
idPACKETSTORM:126071
last seen2016-12-05
published2014-04-09
reporterHaifei Li
sourcehttps://packetstormsecurity.com/files/126071/MS14-017-Microsoft-Word-RTF-Object-Confusion.html
titleMS14-017 Microsoft Word RTF Object Confusion

Saint

bid66385
descriptionMicrosoft Word RTF Object Confusion
idwin_patch_word2010
osvdb104895
titlemsword_rtf
typeclient

Seebug

  • bulletinFamilyexploit
    descriptionCVE ID:CVE-2014-1761 Microsoft Word 是微软公司的一个文字处理软件。 因Microsoft Word在解析畸形的RTF格式数据时存在错误导致内存破坏,使得攻击者能够执行任意代码。当用户使用Microsoft Word受影响的版本打开恶意RTF文件,或者Microsoft Word是Microsoft Outlook的Email Viewer时,用户预览或打开恶意的RTF邮件信息,攻击者都可能成功利用此漏洞,从而获得当前用户的权限。值得注意的是,Microsoft Outlook 2007/2010/2013默认的Email Viewer都是Microsoft Word。 0 Microsoft Word Viewer Microsoft Word 2013 Microsoft Word 2010 Microsoft Word 2007 Microsoft Word 2003 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://technet.microsoft.com/security/bulletin/ 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 应用Microsoft Fix it解决方案,禁止在Microsoft Word中打开RTF内容。 * 以纯文本读取电子邮件。 * 用Microsoft Office File Block策略阻止在Microsoft Word 2003, 2007, Microsoft Word 2010, Microsoft Word 2013中打开RTF文件。 * 部署Enhanced Mitigation Experience Toolkit。
    idSSV:61922
    last seen2017-11-19
    modified2014-03-25
    published2014-03-25
    reporterRoot
    titleMicrosoft Word RTF文件解析错误代码执行漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:86063
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-86063
    titleMS14-017 Microsoft Word RTF Object Confusion

The Hacker News