Vulnerabilities > CVE-2014-6352 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus
exploit available
metasploit

Summary

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.

Exploit-Db

  • descriptionWindows OLE Package Manager SandWorm Exploit. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    fileexploits/windows/local/35019.py
    idEDB-ID:35019
    last seen2016-02-04
    modified2014-10-20
    platformwindows
    port
    published2014-10-20
    reporterVlad Ovtchinikov
    sourcehttps://www.exploit-db.com/download/35019/
    titleWindows OLE Package Manager SandWorm Exploit
    typelocal
  • descriptionMS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    idEDB-ID:35235
    last seen2016-02-04
    modified2014-11-14
    published2014-11-14
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/35235/
    titleMS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
  • descriptionMS14-064 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    idEDB-ID:35236
    last seen2016-02-04
    modified2014-11-14
    published2014-11-14
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/35236/
    titleMS14-064 Microsoft Windows OLE Package Manager Code Execution
  • descriptionMicrosoft Office 2007 and 2010 - OLE Arbitrary Command Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    idEDB-ID:35216
    last seen2016-02-04
    modified2014-11-12
    published2014-11-12
    reporterAbhishek Lyall
    sourcehttps://www.exploit-db.com/download/35216/
    titleMicrosoft Office 2007 and 2010 - OLE Arbitrary Command Execution
  • descriptionWindows OLE - Remote Code Execution "Sandworm" Exploit (MS14-060). CVE-2014-4114,CVE-2014-6352. Remote exploit for windows platform
    fileexploits/windows/remote/35055.py
    idEDB-ID:35055
    last seen2016-02-04
    modified2014-10-25
    platformwindows
    port
    published2014-10-25
    reporterMike Czumak
    sourcehttps://www.exploit-db.com/download/35055/
    titleWindows OLE - Remote Code Execution "Sandworm" Exploit MS14-060
    typeremote
  • descriptionMS14-060 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for win32 platform
    fileexploits/windows_x86/local/35020.rb
    idEDB-ID:35020
    last seen2016-02-04
    modified2014-10-20
    platformwindows_x86
    port
    published2014-10-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/35020/
    titleMS14-060 Microsoft Windows OLE Package Manager Code Execution
    typelocal

Metasploit

Msbulletin

bulletin_idMS14-064
bulletin_url
date2014-11-11T00:00:00
impactRemote Code Execution
knowledgebase_id3011443
knowledgebase_url
severityCritical
titleVulnerabilities in Windows OLE Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS14-064.NASL
    descriptionThe remote Windows host is affected by multiple vulnerabilities : - A remote code execution vulnerability due to Internet Explorer improperly handling access to objects in memory. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website in Internet Explorer, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6332) - A remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6352)
    last seen2020-06-01
    modified2020-06-02
    plugin id79125
    published2014-11-11
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79125
    titleMS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(79125);
      script_version("1.14");
      script_cvs_date("Date: 2018/11/15 20:50:31");
    
      script_cve_id("CVE-2014-6332", "CVE-2014-6352");
      script_bugtraq_id(70690, 70952);
      script_xref(name:"CERT", value:"158647");
      script_xref(name:"EDB-ID", value:"35229");
      script_xref(name:"MSFT", value:"MS14-064");
      script_xref(name:"MSKB", value:"3006226");
      script_xref(name:"MSKB", value:"3010788");
    
      script_name(english:"MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)");
      script_summary(english:"Checks the versions of packager.dll and Oleaut32.dll.");
    
      script_set_attribute(attribute:"synopsis", value:"The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is affected by multiple vulnerabilities :
    
      - A remote code execution vulnerability due to Internet
        Explorer improperly handling access to objects in
        memory. A remote attacker can exploit this vulnerability
        by convincing a user to visit a specially crafted
        website in Internet Explorer, resulting in execution of
        arbitrary code in the context of the current user.
        (CVE-2014-6332)
    
      - A remote code execution vulnerability due to a flaw in
        the OLE package manager. A remote attacker can exploit
        this vulnerability by convincing a user to open an
        Office file containing specially crafted OLE objects,
        resulting in execution of arbitrary code in the context
        of the current user. (CVE-2014-6352)");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-064");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2003, Vista, 2008,
    7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS14-064 Microsoft Windows OLE Package Manager Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS14-064';
    kbs = make_list(
      "3006226",
      "3010788"
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Windows 8.1 / Windows Server 2012 R2
      hotfix_is_vulnerable(os:"6.3", sp:0, file:"packager.dll", version:"6.3.9600.17408", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
    
      # KB 3006226
      hotfix_is_vulnerable(os:"6.3", sp:0, file:"Oleaut32.dll", version:"6.3.9600.17403", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
    
      # Windows 8 / Windows Server 2012
      hotfix_is_vulnerable(os:"6.2", sp:0, file:"packager.dll", version:"6.2.9200.21278", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
      hotfix_is_vulnerable(os:"6.2", sp:0, file:"packager.dll", version:"6.2.9200.17160", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
    
      # KB 3006226
      hotfix_is_vulnerable(os:"6.2", sp:0, file:"Oleaut32.dll", version:"6.2.9200.21273", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
      hotfix_is_vulnerable(os:"6.2", sp:0, file:"Oleaut32.dll", version:"6.2.9200.17155", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
    
      # Windows 7 / Server 2008 R2
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"packager.dll", version:"6.1.7601.22853", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"packager.dll", version:"6.1.7601.18645", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
    
      # KB 3006226
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Oleaut32.dll", version:"6.1.7601.22846", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"Oleaut32.dll", version:"6.1.7601.18640", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
    
      # Vista / Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"packager.dll", version:"6.0.6002.23527", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"packager.dll", version:"6.0.6002.19220", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3010788") ||
    
      # KB 3006226
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Oleaut32.dll", version:"6.0.6002.23523", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Oleaut32.dll", version:"6.0.6002.19216", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3006226") ||
    
      # Windows Server 2003
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Oleaut32.dll", version:"5.2.3790.5464", dir:"\system32", bulletin:bulletin, kb:"3006226")
    )
    {
      set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB3010060.NASL
    descriptionThe remote host is missing one of the workarounds referenced in Microsoft Security Advisory 3010060. The version of Microsoft Office installed on the remote host is affected by a remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user.
    last seen2017-10-29
    modified2017-08-30
    plugin id78627
    published2014-10-22
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=78627
    titleMS KB3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (deprecated)
    code
    #%NASL_MIN_LEVEL 999999
    
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # @DEPRECATED@
    #
    # Disabled on 2014/11/11.  Deprecated by smb_nt_ms14-064.nasl
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78627);
      script_version("1.9");
      script_cvs_date("Date: 2018/07/27 18:38:15");
    
      script_cve_id("CVE-2014-6352");
      script_bugtraq_id(70690);
      script_xref(name:"MSKB", value:"3010060");
    
      script_name(english:"MS KB3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (deprecated)");
      script_summary(english:"Checks if workarounds referenced in KB article have been applied.");
    
      script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote host is missing one of the workarounds referenced in
    Microsoft Security Advisory 3010060.
    
    The version of Microsoft Office installed on the remote host is
    affected by a remote code execution vulnerability due to a flaw in the
    OLE package manager. A remote attacker can exploit this vulnerability
    by convincing a user to open an Office file containing specially
    crafted OLE objects, resulting in execution of arbitrary code in the
    context of the current user.");
      script_set_attribute(attribute:"see_also", value:"https://technet.microsoft.com/library/security/3010060");
      script_set_attribute(attribute:"solution", value:
    "Apply the Microsoft Fix it solution 'OLE packager Shim Workaround' or
    deploy the Enhanced Mitigation Experience Toolkit (EMET) 5.0 and
    configure Attack Surface Reduction with the settings provided by
    Microsoft.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS14-060 Microsoft Windows OLE Package Manager Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    # Deprecated.
    exit(0, "This plugin has been deprecated.  Use plugin #79125 (smb_nt_ms14-064.nasl) instead.");
    
    include("audit.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    # Only Office 2007/2010/2013 are affected
    office_inst = FALSE;
    office_kbs = get_kb_list("SMB/Office/*");
    if (!isnull(office_kbs))
    {
      office_kbs = make_list(office_kbs);
      foreach item (keys(office_kbs))
      {
        if (item =~ "Office\/(Powerpoint|Word|Excel|Publisher|Access)\/1[245]\.") 
        {
          office_inst = TRUE;
          break;
        }
      }
    }
    if (!office_inst) audit(AUDIT_NOT_INST,"Affected Office 2007 / 2010 / 2013 Product");
    
    ##################################################################################
    # Fix it Check
    registry_init();
    
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    systemroot = hotfix_get_systemroot();
    if (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');
    
    guid = '{3a9498f9-243d-424b-893a-8da0b0cfad53}';
    path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid);
    RegCloseKey(handle:hklm);
    
    if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb';
    
    # Now make sure the file is in place
    if (hotfix_file_exists(path:path))
    {
      hotfix_check_fversion_end();
      exit(0, "The host is not affected since the Microsoft 'Fix it' has been applied.");
    }
    hotfix_check_fversion_end();
    ##################################################################################
    
    ##################################################################################
    # EMET Check
    emet_info = '';
    emet_installed = FALSE;
    emet_with_dllhost = FALSE;
    emet_with_pp = FALSE;
    if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed")))
      emet_installed = TRUE;
    emet_list = get_kb_list("SMB/Microsoft/EMET/*");
    if (!isnull(emet_list))
    {
      foreach entry (keys(emet_list))
      {
        if ("dllhost.exe" >< entry && "/asr" >< entry)
        {
          asr = get_kb_item(entry);
          if (!isnull(asr) && asr == 1)
            emet_with_dllhost = TRUE;
        }
        if (("POWERPNT.EXE" >< entry || "powerpnt.exe" >< entry) && "/asr" >< entry)
        {
          asr = get_kb_item(entry);
          if (!isnull(asr) && asr == 1)
            emet_with_pp = TRUE;
        }
      }
    }
    
    if (!emet_installed)
    {
      emet_info =
      '\n' + 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +
      '\n' + 'installed.';
    }
    # ASR needs to be on both
    else if (emet_installed && (!emet_with_dllhost || !emet_with_pp))
    {
      emet_info =
      '\n' + 'Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +
      '\n' + 'installed; however, it is not configured with the recommendations' +
      '\n' + 'from Microsoft to mitigate the vulnerability.';
    }
    
    if (emet_with_dllhost && emet_with_pp) exit(0, "The host is not affected as EMET has been configured to mitigate the vulnerability.");
    ##################################################################################
    
    # If we made it here we don't have any of the fixes.
    port = get_kb_item('SMB/transport');
    if (!port) port = 445;
    
    if (report_verbosity > 0)
    {
      report = '\n' + 'The remote host is missing the OLE packager Shim Workaround.';
      if (emet_info != '') report = report + '\n' + emet_info;
      report += '\n';
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    

Packetstorm

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:87353
last seen2017-11-19
modified2014-11-13
published2014-11-13
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-87353
titleMS Office 2007 and 2010 - OLE Arbitrary Command Execution

The Hacker News

idTHN:3CCB49974C881C181739745A6694FB0A
last seen2018-01-27
modified2014-10-22
published2014-10-22
reporterMohit Kumar
sourcehttps://thehackernews.com/2014/10/microsoft-powerpoint-vulnerable-to-zero.html
titleMicrosoft PowerPoint Vulnerable to Zero-Day Attack