Microsoft Office 2007/2010/2013/2016 RTF Document Necurs Dridex access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.9 | $0-$5k | 0.00 |
A vulnerability, which was classified as very critical, has been found in Microsoft Office 2007/2010/2013/2016 (Office Suite Software). This issue affects an unknown function of the component RTF Document Handler. The manipulation with an unknown input leads to a access control vulnerability (Necurs Dridex). Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.
The bug was discovered 04/11/2017. The weakness was presented 04/07/2017 by Haifei Li (SecuriTeam) with McAfee as Critical Office Zero-Day Attacks Detected in the Wild as confirmed article (Website). The advisory is shared at securingtomorrow.mcafee.com. The public release happened without involvement of Microsoft. The identification of this vulnerability is CVE-2017-0199 since 09/09/2016. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 11/28/2022). MITRE ATT&CK project uses the attack technique T1068 for this issue. Due to its background and reception, this vulnerability has a historic impact. The advisory points out:
Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.
A public exploit has been developed in Python and been published 3 weeks after the advisory. The exploit is available at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 188 days. During that time the estimated underground price was around $25k-$100k. A worm is spreading, which is automatically exploiting this vulnerability. The vulnerability scanner Nessus provides a plugin with the ID 99285 (Windows Server 2012 April 2017 Security Updates (Petya)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 110297 (Microsoft Office and Microsoft Office Services and Web Apps Security Update April 2017). The code used by the exploit is:
ministream_data << "01000002090000000100000000000000" # 00000000: ................ ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K...... ministream_data << generate_uri ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.] ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............ ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................ ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7........... ministream_data << "00000000000000000000000000000000" # 000000f0: ................ ministream_data << "100203000d0000000000000000000000" # 00000100: ................ ministream_data << "00000000000000000000000000000000" # 00000110: ................ ministream_data << "00000000000000000000000000000000" # 00000120: ................ ministream_data << "00000000000000000000000000000000" # 00000130: ................ ministream_data << "00000000000000000000000000000000" # 00000140: ................ ministream_data << "00000000000000000000000000000000" # 00000150: ................ ministream_data << "00000000000000000000000000000000" # 00000160: ................ ministream_data << "00000000000000000000000000000000" # 00000170: ................ ministream_data << "00000000000000000000000000000000" # 00000180: ................ ministream_data << "00000000000000000000000000000000" # 00000190: ................ ministream_data << "00000000000000000000000000000000" # 000001a0: ................ ministream_data << "00000000000000000000000000000000" # 000001b0: ................ ministream_data << "00000000000000000000000000000000" # 000001c0: ................ ministream_data << "00000000000000000000000000000000" # 000001d0: ................ ministream_data << "00000000000000000000000000000000" # 000001e0: ................ ministream_data << "00000000000000000000000000000000" # 000001f0: ................The advisory illustrates:
The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). (...) The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.It appears that this issue was not exploited during the Petya/NotPetya attack campaign.The CISA Known Exploited Vulnerabilities Catalog lists this issue since 11/03/2021 with a due date of 05/03/2022:
Apply updates per vendor instructions. Applying a patch is able to eliminate this problem. The bugfix is ready for download at portal.msrc.microsoft.com. A possible mitigation has been published 4 days after the disclosure of the vulnerability. The article contains the following remark:
Do not open any Office files obtained from untrusted locations. According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
The vulnerability is also documented in the databases at Tenable (99285) and Exploit-DB (41934). arstechnica.com is providing further details. See 99653, 99654, 99655 and 99656 for similar entries.
Affected
- Microsoft Office 2007/2010/2013/2016
- Microsoft Wordpad
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
Screenshot
Video
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.0VulDB Meta Temp Score: 6.9
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: Necurs DridexClass: Access control / Necurs Dridex
CWE: CWE-284 / CWE-266
ATT&CK: T1068
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Wormified: 🔍
Reliability: 🔍
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 99285
Nessus Name: Windows Server 2012 April 2017 Security Updates (Petya)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 800218
OpenVAS Name: Microsoft Windows Monthly Rollup (KB4015551)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Saint ID: microsoft_word_wordpad_rtf
Saint Name: Microsoft Word and WordPad RTF HTA handler command execution
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: office_word_hta.rb
MetaSploit Name: Microsoft Office Word Malicious Hta Execution
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Patch: portal.msrc.microsoft.com
Suricata ID: 2024224
Suricata Class: 🔍
Suricata Message: 🔍
Timeline
09/09/2016 🔍10/01/2016 🔍
04/07/2017 🔍
04/07/2017 🔍
04/11/2017 🔍
04/11/2017 🔍
04/11/2017 🔍
04/11/2017 🔍
04/11/2017 🔍
04/12/2017 🔍
04/25/2017 🔍
04/25/2017 🔍
11/28/2022 🔍
Sources
Vendor: microsoft.comAdvisory: Critical Office Zero-Day Attacks Detected in the Wild
Researcher: Haifei Li (SecuriTeam)
Organization: McAfee
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-0199 (🔍)
OVAL: 🔍
SecurityTracker: 1038224
SecurityFocus: 97498 - Microsoft Office OLE Feature Remote Code Execution Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 04/11/2017 09:31Updated: 11/28/2022 08:52
Changes: 04/11/2017 09:31 (124), 10/21/2019 18:16 (2), 11/28/2022 08:52 (4)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.