7.8 CVE-2017-11882

CISA Kev Catalog Buffer Overflow Used by Malware Patch Exploit
 

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
https://nvd.nist.gov/vuln/detail/CVE-2017-11882

Categories

CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. This term has many different meanings to different audiences. From a CWE mapping perspective, this term should be avoided where possible. Some researchers, developers, and tools intend for it to mean "write past the end of a buffer," whereas others use the same term to mean "any read or write outside the boundaries of a buffer, whether before the beginning of the buffer or after the end of the buffer." Others could mean "any action after the end of a buffer, whether it is a read or write." Since the term is commonly used for exploitation and for vulnerabilities, it further confuses things. Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." See the alternate term for "buffer overflow" for context. Generally used for techniques that avoid weaknesses related to memory access, such as those identified by CWE-119 and its descendants. However, the term is not formal, and there is likely disagreement between practitioners as to which weaknesses are implicitly covered by the "memory safety" term. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Incorrect URI normalization in application traffic product leads to buffer overflow, as exploited in the wild per CISA KEV. Buffer overflow in Wi-Fi router web interface, as exploited in the wild per CISA KEV. Classic stack-based buffer overflow in media player using a long entry in a playlist Heap-based buffer overflow in media player using a long entry in a playlist large precision value in a format string triggers overflow negative offset value leads to out-of-bounds read malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption chain: lack of synchronization leads to memory corruption Chain: machine-learning product can have a heap-basedbuffer overflow (CWE-122) when some integer-oriented bounds arecalculated by using ceiling() and floor() on floating point values(CWE-1339) attacker-controlled array index leads to code execution chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. chain: incorrect calculations lead to incorrect pointer dereference and memory corruption product accepts crafted messages that lead to a dereference of an arbitrary pointer chain: malformed input causes dereference of uninitialized memory OS kernel trusts userland-supplied length value, allowing reading of sensitive information Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. buffer overflow involving a regular expression with a large number of captures chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).

References

af854a3a-2127-422b-91ae-364da2661108 Patch Exploit

http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-...
Exploit Third Party Advisory
http://www.securityfocus.com/bid/101757
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039783
Third Party Advisory VDB Entry
https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
Exploit Third Party Advisory
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
Exploit Patch Third Party Advisory
https://github.com/0x09AL/CVE-2017-11882-metasploit
Exploit Third Party Advisory
https://github.com/embedi/CVE-2017-11882
Exploit Third Party Advisory
https://github.com/rxwx/CVE-2017-11882
Exploit Third Party Advisory
https://github.com/unamer/CVE-2017-11882
Exploit Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-1...
Patch Vendor Advisory
https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-20...
Exploit Third Party Advisory
https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-c...
Exploit Mitigation Third Party Advisory
https://www.exploit-db.com/exploits/43163/
Exploit Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/421280
Third Party Advisory US Government Resource

secure@microsoft.com Patch Exploit

http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-...
Exploit Third Party Advisory
http://www.securityfocus.com/bid/101757
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039783
Third Party Advisory VDB Entry
https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
Exploit Third Party Advisory
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
Exploit Patch Third Party Advisory
https://github.com/0x09AL/CVE-2017-11882-metasploit
Exploit Third Party Advisory
https://github.com/embedi/CVE-2017-11882
Exploit Third Party Advisory
https://github.com/rxwx/CVE-2017-11882
Exploit Third Party Advisory
https://github.com/unamer/CVE-2017-11882
Exploit Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-1...
Patch Vendor Advisory
https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-20...
Exploit Third Party Advisory
https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-c...
Exploit Mitigation Third Party Advisory
https://www.exploit-db.com/exploits/43163/
Exploit Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/421280
Third Party Advisory US Government Resource


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*


REMEDIATION


Patch

Url
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-1...
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-1...


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/embedi/CVE-2017-11882
https://github.com/Ridter/CVE-2017-11882
https://github.com/BlackMathIT/2017-11882_Generator
https://github.com/rip1s/CVE-2017-11882
https://github.com/0x09AL/CVE-2017-11882-metasploit
https://github.com/Grey-Li/CVE-2017-11882
https://github.com/Shadowshusky/CVE-2017-11882-
https://github.com/likescam/CVE-2017-11882
https://github.com/lisinan988/CVE-2017-11882-exp
https://github.com/tzwlhack/CVE-2017-11882

Other Nist (github, ...)

Url
http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-...
https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
https://github.com/0x09AL/CVE-2017-11882-metasploit
https://github.com/embedi/CVE-2017-11882
https://github.com/rxwx/CVE-2017-11882
https://github.com/unamer/CVE-2017-11882
https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-20...
https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-c...
https://www.exploit-db.com/exploits/43163/
http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-...
https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
https://github.com/0x09AL/CVE-2017-11882-metasploit
https://github.com/embedi/CVE-2017-11882
https://github.com/rxwx/CVE-2017-11882
https://github.com/unamer/CVE-2017-11882
https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-20...
https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-c...
https://www.exploit-db.com/exploits/43163/


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
10 Buffer Overflow via Environment Variables
High
100 Overflow Buffers
Very High
123 Buffer Manipulation
Very High
14 Client-side Injection-induced Buffer Overflow
High
24 Filter Failure through Buffer Overflow
High
42 MIME Conversion
High
44 Overflow Binary Resource File
Very High
45 Buffer Overflow via Symbolic Links
High
46 Overflow Variables and Tags
High
47 Buffer Overflow via Parameter Expansion
High
8 Buffer Overflow in an API Call
High
9 Buffer Overflow in Local Command-Line Utilities
High