Vulnerabilities > CVE-2017-11882 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Office
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description | Microsoft Office - OLE Remote Code Execution. CVE-2017-11882. Remote exploit for Windows platform |
file | exploits/windows/remote/43163.txt |
id | EDB-ID:43163 |
last seen | 2017-11-21 |
modified | 2017-11-20 |
platform | windows |
port | |
published | 2017-11-20 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/43163/ |
title | Microsoft Office - OLE Remote Code Execution |
type | remote |
Metasploit
description | Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory. |
id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882 |
last seen | 2020-06-04 |
modified | 2018-08-28 |
published | 2017-11-21 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb |
title | Microsoft Office CVE-2017-11882 |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS17_NOV_OFFICE.NASL |
description | The Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities : - Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. - A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-11854) - A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-11882) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 104557 |
published | 2017-11-14 |
reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/104557 |
title | Security Updates for Microsoft Office Products (November 2017) |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/145226/office_ms17_11882.rb.txt |
id | PACKETSTORM:145226 |
last seen | 2017-12-06 |
published | 2017-12-06 |
reporter | embedi |
source | https://packetstormsecurity.com/files/145226/Microsoft-Office-Equation-Editor-Code-Execution.html |
title | Microsoft Office Equation Editor Code Execution |
The Hacker News
id THN:7489F5CF1C31FDAC5F67F700D5DDCD5B last seen 2018-06-14 modified 2018-06-14 published 2018-06-14 reporter Swati Khandelwal source https://thehackernews.com/2018/06/chinese-watering-hole-attack.html title Chinese Hackers Carried Out Country-Level Watering Hole Attack id THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2 last seen 2018-01-27 modified 2017-11-15 published 2017-11-14 reporter Swati Khandelwal source https://thehackernews.com/2017/11/microsoft-patch-tuesday.html title Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities id THN:42E3306FC75881CF8EBD30FA8291FF29 last seen 2020-06-04 modified 2020-06-04 published 2020-06-04 reporter The Hacker News source https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html title New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers id THN:C21D17F1D92C12B031AB9C761BBD004A last seen 2018-01-27 modified 2018-01-17 published 2018-01-17 reporter Mohit Kumar source https://thehackernews.com/2018/01/microsoft-office-malware.html title Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware id THN:C473C49BA4C68CD048FB1E0B4A2D04F4 last seen 2018-01-27 modified 2017-11-29 published 2017-11-28 reporter Mohit Kumar source https://thehackernews.com/2017/11/cobalt-strike-malware.html title Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs id THN:CBEFDC179819629DFFC0C17341BFD3E8 last seen 2018-01-27 modified 2017-11-15 published 2017-11-14 reporter Swati Khandelwal source https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html title 17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction id THN:ED087560040A02BCB1F68DE406A7F577 last seen 2018-01-27 modified 2018-01-11 published 2018-01-09 reporter Mohit Kumar source https://thehackernews.com/2018/01/microsoft-security-patch.html title Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day
Related news
- Multiple Chinese Groups Share the Same RTF Weaponizer (source)
- Malware peddlers hit Office users with old but reliable exploit (source)
- ThreatList: Microsoft Macros Remain Top Vector for Malware Delivery (source)
- New KevDroid Android Backdoor Discovered (source)
- China-linked Hackers Target Engineering and Maritime Industries (source)
- CISA’s Top 30 Bugs: One’s Old Enough to Buy Beer (source)
- Chinese hackers use Windows zero-day to attack defense, IT firms (source)
- Geriatric Microsoft Bug Exploited by APT Using Commodity RATs (source)
- Political-themed actor using old MS Office flaw to drop multiple RATs (source)
- 'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs (source)
- Cyberespionage APT Now Identified as Three Separate Actors (source)
- Microsoft fixes exploited zero-day in Windows Support Diagnostic Tool (CVE-2022-34713) (source)
- Transportation sector targeted by both ransomware and APTs (source)
- You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks (source)
- Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant (source)
- Old vulnerabilities are still a big problem (source)
- Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign (source)
- Hackers Exploiting Old MS Excel Vulnerability to Spread Agent Tesla Malware (source)
- Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware (source)
- New SteganoAmor attacks use steganography to target 320 orgs globally (source)
References
- http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882
- http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882
- http://www.securityfocus.com/bid/101757
- http://www.securityfocus.com/bid/101757
- http://www.securitytracker.com/id/1039783
- http://www.securitytracker.com/id/1039783
- https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
- https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
- https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
- https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
- https://github.com/0x09AL/CVE-2017-11882-metasploit
- https://github.com/0x09AL/CVE-2017-11882-metasploit
- https://github.com/embedi/CVE-2017-11882
- https://github.com/embedi/CVE-2017-11882
- https://github.com/rxwx/CVE-2017-11882
- https://github.com/rxwx/CVE-2017-11882
- https://github.com/unamer/CVE-2017-11882
- https://github.com/unamer/CVE-2017-11882
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
- https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
- https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
- https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
- https://www.exploit-db.com/exploits/43163/
- https://www.exploit-db.com/exploits/43163/
- https://www.kb.cert.org/vuls/id/421280
- https://www.kb.cert.org/vuls/id/421280