Vulnerabilities > CVE-2014-6352 - Code Injection vulnerability in Microsoft products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-94

critical

nessus

exploit available

metasploit

NVD

Published: 2014-10-22

Updated: 2018-10-12

Summary

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 7 - Microsoft Windows 8 - Microsoft Windows 8.1 - Microsoft Windows RT - Microsoft Windows RT 8.1 - Microsoft Windows Server 2008 * Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2 Microsoft Windows Vista *	10

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

description	Windows OLE Package Manager SandWorm Exploit. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
file	exploits/windows/local/35019.py
id	EDB-ID:35019
last seen	2016-02-04
modified	2014-10-20
platform	windows
port
published	2014-10-20
reporter	Vlad Ovtchinikov
source	https://www.exploit-db.com/download/35019/
title	Windows OLE Package Manager SandWorm Exploit
type	local

description	MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
id	EDB-ID:35235
last seen	2016-02-04
modified	2014-11-14
published	2014-11-14
reporter	metasploit
source	https://www.exploit-db.com/download/35235/
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

description	MS14-064 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
id	EDB-ID:35236
last seen	2016-02-04
modified	2014-11-14
published	2014-11-14
reporter	metasploit
source	https://www.exploit-db.com/download/35236/
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution

description	Microsoft Office 2007 and 2010 - OLE Arbitrary Command Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
id	EDB-ID:35216
last seen	2016-02-04
modified	2014-11-12
published	2014-11-12
reporter	Abhishek Lyall
source	https://www.exploit-db.com/download/35216/
title	Microsoft Office 2007 and 2010 - OLE Arbitrary Command Execution

description	Windows OLE - Remote Code Execution "Sandworm" Exploit (MS14-060). CVE-2014-4114,CVE-2014-6352. Remote exploit for windows platform
file	exploits/windows/remote/35055.py
id	EDB-ID:35055
last seen	2016-02-04
modified	2014-10-25
platform	windows
port
published	2014-10-25
reporter	Mike Czumak
source	https://www.exploit-db.com/download/35055/
title	Windows OLE - Remote Code Execution "Sandworm" Exploit MS14-060
type	remote

description	MS14-060 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for win32 platform
file	exploits/windows_x86/local/35020.rb
id	EDB-ID:35020
last seen	2016-02-04
modified	2014-10-20
platform	windows_x86
port
published	2014-10-20
reporter	metasploit
source	https://www.exploit-db.com/download/35020/
title	MS14-060 Microsoft Windows OLE Package Manager Code Execution
type	local

Metasploit

description	This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
id	MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS14_064_PACKAGER_RUN_AS_ADMIN
last seen	2020-06-01
modified	2017-07-24
published	2014-11-12
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352 http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution

description	This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
id	MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS14_064_PACKAGER_PYTHON
last seen	2020-05-28
modified	2017-07-24
published	2014-11-13
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352 http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms14_064_packager_python.rb
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

Msbulletin

bulletin_id	MS14-064
bulletin_url
date	2014-11-11T00:00:00
impact	Remote Code Execution
knowledgebase_id	3011443
knowledgebase_url
severity	Critical
title	Vulnerabilities in Windows OLE Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS14-064.NASL
description	The remote Windows host is affected by multiple vulnerabilities : - A remote code execution vulnerability due to Internet Explorer improperly handling access to objects in memory. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website in Internet Explorer, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6332) - A remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6352)
last seen	2020-06-01
modified	2020-06-02
plugin id	79125
published	2014-11-11
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/79125
title	MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(79125); script_version("1.14"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2014-6332", "CVE-2014-6352"); script_bugtraq_id(70690, 70952); script_xref(name:"CERT", value:"158647"); script_xref(name:"EDB-ID", value:"35229"); script_xref(name:"MSFT", value:"MS14-064"); script_xref(name:"MSKB", value:"3006226"); script_xref(name:"MSKB", value:"3010788"); script_name(english:"MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)"); script_summary(english:"Checks the versions of packager.dll and Oleaut32.dll."); script_set_attribute(attribute:"synopsis", value:"The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is affected by multiple vulnerabilities : - A remote code execution vulnerability due to Internet Explorer improperly handling access to objects in memory. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website in Internet Explorer, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6332) - A remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6352)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-064"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS14-064 Microsoft Windows OLE Package Manager Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS14-064'; kbs = make_list( "3006226", "3010788" ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"packager.dll", version:"6.3.9600.17408", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| # KB 3006226 hotfix_is_vulnerable(os:"6.3", sp:0, file:"Oleaut32.dll", version:"6.3.9600.17403", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| # Windows 8 / Windows Server 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"packager.dll", version:"6.2.9200.21278", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"packager.dll", version:"6.2.9200.17160", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| # KB 3006226 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Oleaut32.dll", version:"6.2.9200.21273", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"Oleaut32.dll", version:"6.2.9200.17155", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"packager.dll", version:"6.1.7601.22853", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"packager.dll", version:"6.1.7601.18645", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| # KB 3006226 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Oleaut32.dll", version:"6.1.7601.22846", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Oleaut32.dll", version:"6.1.7601.18640", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"packager.dll", version:"6.0.6002.23527", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"packager.dll", version:"6.0.6002.19220", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3010788") \|\| # KB 3006226 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Oleaut32.dll", version:"6.0.6002.23523", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Oleaut32.dll", version:"6.0.6002.19216", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3006226") \|\| # Windows Server 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Oleaut32.dll", version:"5.2.3790.5464", dir:"\system32", bulletin:bulletin, kb:"3006226") ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

NASL family	Windows
NASL id	SMB_KB3010060.NASL
description	The remote host is missing one of the workarounds referenced in Microsoft Security Advisory 3010060. The version of Microsoft Office installed on the remote host is affected by a remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user.
last seen	2017-10-29
modified	2017-08-30
plugin id	78627
published	2014-10-22
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=78627
title	MS KB3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (deprecated)
code	#%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2014/11/11. Deprecated by smb_nt_ms14-064.nasl # include("compat.inc"); if (description) { script_id(78627); script_version("1.9"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2014-6352"); script_bugtraq_id(70690); script_xref(name:"MSKB", value:"3010060"); script_name(english:"MS KB3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (deprecated)"); script_summary(english:"Checks if workarounds referenced in KB article have been applied."); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is missing one of the workarounds referenced in Microsoft Security Advisory 3010060. The version of Microsoft Office installed on the remote host is affected by a remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://technet.microsoft.com/library/security/3010060"); script_set_attribute(attribute:"solution", value: "Apply the Microsoft Fix it solution 'OLE packager Shim Workaround' or deploy the Enhanced Mitigation Experience Toolkit (EMET) 5.0 and configure Attack Surface Reduction with the settings provided by Microsoft."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS14-060 Microsoft Windows OLE Package Manager Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } # Deprecated. exit(0, "This plugin has been deprecated. Use plugin #79125 (smb_nt_ms14-064.nasl) instead."); include("audit.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); # Only Office 2007/2010/2013 are affected office_inst = FALSE; office_kbs = get_kb_list("SMB/Office/"); if (!isnull(office_kbs)) { office_kbs = make_list(office_kbs); foreach item (keys(office_kbs)) { if (item =~ "Office\/(Powerpoint\|Word\|Excel\|Publisher\|Access)\/1[245]\.") { office_inst = TRUE; break; } } } if (!office_inst) audit(AUDIT_NOT_INST,"Affected Office 2007 / 2010 / 2013 Product"); ################################################################################## # Fix it Check registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); systemroot = hotfix_get_systemroot(); if (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot'); guid = '{3a9498f9-243d-424b-893a-8da0b0cfad53}'; path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid); RegCloseKey(handle:hklm); if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb'; # Now make sure the file is in place if (hotfix_file_exists(path:path)) { hotfix_check_fversion_end(); exit(0, "The host is not affected since the Microsoft 'Fix it' has been applied."); } hotfix_check_fversion_end(); ################################################################################## ################################################################################## # EMET Check emet_info = ''; emet_installed = FALSE; emet_with_dllhost = FALSE; emet_with_pp = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; emet_list = get_kb_list("SMB/Microsoft/EMET/"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { if ("dllhost.exe" >< entry && "/asr" >< entry) { asr = get_kb_item(entry); if (!isnull(asr) && asr == 1) emet_with_dllhost = TRUE; } if (("POWERPNT.EXE" >< entry \|\| "powerpnt.exe" >< entry) && "/asr" >< entry) { asr = get_kb_item(entry); if (!isnull(asr) && asr == 1) emet_with_pp = TRUE; } } } if (!emet_installed) { emet_info = '\n' + 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\n' + 'installed.'; } # ASR needs to be on both else if (emet_installed && (!emet_with_dllhost \|\| !emet_with_pp)) { emet_info = '\n' + 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\n' + 'installed; however, it is not configured with the recommendations' + '\n' + 'from Microsoft to mitigate the vulnerability.'; } if (emet_with_dllhost && emet_with_pp) exit(0, "The host is not affected as EMET has been configured to mitigate the vulnerability."); ################################################################################## # If we made it here we don't have any of the fixes. port = get_kb_item('SMB/transport'); if (!port) port = 445; if (report_verbosity > 0) { report = '\n' + 'The remote host is missing the OLE packager Shim Workaround.'; if (emet_info != '') report = report + '\n' + emet_info; report += '\n'; security_hole(port:port, extra:report); } else security_hole(port);

Packetstorm

data source	https://packetstormsecurity.com/files/download/129101/ms14_064_packager_run_as_admin.rb.txt
id	PACKETSTORM:129101
last seen	2016-12-05
published	2014-11-13
reporter	Haifei Li
source	https://packetstormsecurity.com/files/129101/MS14-064-Microsoft-Windows-OLE-Package-Manager-Code-Execution.html
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution

data source	https://packetstormsecurity.com/files/download/129110/ms14_064_packager_python.rb.txt
id	PACKETSTORM:129110
last seen	2016-12-05
published	2014-11-14
reporter	Haifei Li
source	https://packetstormsecurity.com/files/129110/MS14-064-Microsoft-Windows-OLE-Package-Manager-Code-Execution-Through-Python.html
title	MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:87353
last seen	2017-11-19
modified	2014-11-13
published	2014-11-13
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-87353
title	MS Office 2007 and 2010 - OLE Arbitrary Command Execution

The Hacker News

id	THN:3CCB49974C881C181739745A6694FB0A
last seen	2018-01-27
modified	2014-10-22
published	2014-10-22
reporter	Mohit Kumar
source	https://thehackernews.com/2014/10/microsoft-powerpoint-vulnerable-to-zero.html
title	Microsoft PowerPoint Vulnerable to Zero-Day Attack

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Msbulletin

Nessus

Packetstorm

Seebug

The Hacker News

References