Posts

Microsoft Word Remote Code Execution Vulnerability (CVE-2015-0097) (Nov 25,2015)

Remote code execution vulnerability exists in Microsoft Office software and is caused when the Office improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code CVE-2015-0097.

To exploit this vulnerability the user has to be tricked into visiting the attacker’s website by clicking on a link. Another scenario could be downloading and opening specially crafted MS office email attachment. Microsoft Word, Excel and Powerpoint contains a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution.

Once the user opens the office document the attacker is able to perform actions in security context of the logged in user.

In the following exploit the word document contains embedded html and script code.

When the user opens this document the code is executed. The code connects to attacker’s server and downloads a file which is saved as .hta in the appdataroamingmicrosoftwindowsstart menuprogramsstartup directory.

So when the user reboots the machine this malicious file which is saved in the startup directory is executed. This allows remote attacker to execute arbitrary code via crafted office document aka “Microsoft Word Local Zone Remote Code Execution Vulnerability.”

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • GAV 19554 : Malformed.wps.MP.2

Microsoft Security Bulletin Coverage (Mar 10, 2015)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-018 Cumulative Security Update for Internet Explorer (3032359)

  • CVE-2015-0032 VBScript Memory Corruption Vulnerability
    IPS: 10808 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 8”
  • CVE-2015-0072 Internet Explorer Elevation of Privilege Vulnerability
    IPS: 6288 “Internet Explorer Universal XSS 1”
  • CVE-2015-1627 Internet Explorer Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0056 Internet Explorer Memory Corruption Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0099 Internet Explorer Memory Corruption Vulnerability
    IPS: 10800 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 1”
  • CVE-2015-0100 Internet Explorer Memory Corruption Vulnerability
    IPS: 10801 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 2”
  • CVE-2015-1622 Internet Explorer Memory Corruption Vulnerability
    IPS: 10802 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 3”
  • CVE-2015-1623 Internet Explorer Memory Corruption Vulnerability
    IPS: 10803 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 4”
  • CVE-2015-1624 Internet Explorer Memory Corruption Vulnerability
    IPS: 10805 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 5”
  • CVE-2015-1625 Internet Explorer Memory Corruption Vulnerability
    IPS: 10806 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 6”
  • CVE-2015-1626 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 11c”
  • CVE-2015-1634 Internet Explorer Memory Corruption Vulnerability
    IPS: 10807 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 7”

MS15-019 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3040297)

  • CVE-2015-0032 VBScript Memory Corruption Vulnerability
    IPS: 10808 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 8”

MS15-020 Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (3041836)

  • CVE-2015-0081 WTS Remote Code Execution Vulnerability
    ASPY: 4858 “Malformed-File RTF.MP.1_2”
  • CVE-2015-0096 DLL Planting Remote Code Exectution Vulnerability
    ASPY: 4863 “Malformed-File lnk.MP.1”

MS15-021 Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323)

  • CVE-2015-0074 Adobe Font Driver Denial of Service Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0087 Adobe Font Driver Information Disclosure Vulnerability
    ASPY: 4861 “Malformed-File pfm.MP.1”
  • CVE-2015-0089 Adobe Font Driver Information Disclosure Vulnerability
    ASPY: 4862 “Malformed-File otf.MP.10”
  • CVE-2015-0088 Adobe Font Driver Remote Code Execution Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0090 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0091 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0092 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0093 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”

MS15-022 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)

  • CVE-2015-0085 Microsoft Office Component Use After Free Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0086 Microsoft Office Memory Corruption Vulnerability
    GAV: 27233 “Malformed.rtf.TL.5”
  • CVE-2015-0097 Microsoft Word Local Zone Remote Code Execution Vulnerability
    ASPY: 4859 “Malformed-File wps.MP.2”
  • CVE-2015-1633 Microsoft SharePoint XSS Vulnerability
    IPS: 2087 “Cross-Site Scripting (XSS) Attack 47”
  • CVE-2015-1636 Microsoft SharePoint XSS Vulnerability
    IPS: 2088 “Cross-Site Scripting (XSS) Attack 48”

MS15-023 Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege (3034344)

  • CVE-2015-0077 Microsoft Windows Kernel Memory Disclosure Vulnerability
    ASPY: 4860 “Malformed-File exe.MP.9”
  • CVE-2015-0078 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0094 Microsoft Windows Kernel Memory Disclosure Vulnerability
    ASPY: 4865 “Malformed-File exe.MP.10”
  • CVE-2015-0095 Microsoft Windows Kernel Memory Disclosure Vulnerability
    This is a local vulnerability.

MS15-024 Vulnerability in PNG Processing Could Allow Information Disclosure (3035132)

  • CVE-2015-0080 Malformed PNG Parsing Information Disclosure Vulnerability
    ASPY: 4855 “Malformed-File png.MP.2”

MS15-025 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680)

  • CVE-2015-0073 Registry Virtualization Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0075 Impersonation Level Check Elevation of Privilege Vulnerability
    There is no known exploit in the wild.

MS15-026 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)

  • CVE-2015-1628 OWA Modified Canary Parameter Cross Site Scripting Vulnerability
    IPS: 10804 “Microsoft Exchange Server OWA XSS 3”
  • CVE-2015-1629 ExchangeDLP Cross Site Scripting Vulnerability
    This is a local vulnerability.
  • CVE-2015-1630 Audit Report Cross Site Scripting Vulnerability
    This is a local vulnerability.
  • CVE-2015-1631 Exchange Forged Meeting Request Spoofing Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-1632 Exchange Error Message Cross Site Scripting Vulnerability
    IPS: 6391 “Cross-Site Scripting (XSS) Attack 46”

MS15-027 Vulnerability in NETLOGON Could Allow Spoofing (3002657)

  • CVE-2015-0005 NETLOGON Spoofing Vulnerability
    There is no known exploit in the wild.

MS15-028 Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)

  • CVE-2015-0084 Task Scheduler Security Feature Bypass Vulnerability
    This is a local vulnerability.

MS15-029 Vulnerability in Windows Photo Decoder Component Could Allow Information Disclosure (3035126)

  • CVE-2015-0076 JPEG XR Parser Information Disclosure Vulnerability
    ASPY: 4856 “Malformed-File jxr.MP.1”

MS15-030 Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (3039976)

  • CVE-2015-0079 Remote Desktop Protocol (RDP) Denial of Service Vulnerability
    There is no known exploit in the wild.

MS15-031 Vulnerability in Schannel Could Allow Security Feature Bypass (3046049)

  • CVE-2015-1637 Schannel Security Feature Bypass Vulnerability
    IPS: 6366 “Client Hello with EXPORT Cipher Suites 1”
    IPS: 6412 “Client Hello with EXPORT Cipher Suites 2”
    IPS: 6428 “Server Hello with EXPORT Cipher Suite”