Posts

Microsoft .NET Framework Remote Code Execution

Microsoft .net Framework is prone to a critical remote code execution vulnerability. When the WSDL parser is handling the data from a certain crafted document file, the IsValidUrl improperly handles the checking procedure, and allows malicious URLs to pass the validation, eventually causes a code injection vulnerability. By exploiting this vulnerability, a remote attacker could execute arbitrary code as the administrator.

This vulnerability is triggered in the WSDL parser.cs in the System.Runtime.Remoting package. (http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs) The IsValidUrl has been called to validate the user provided URL. This function will automatically add “//base.ConfigureProxy(this.GetType(),” string after detecting the first URL, to nullify the later part of the URL.


Figure 1: The vulnerable function

However, if the data contains CRLF, the later part of the URL will not be commented. If the method System.Diagnostics.Process.Start is in the injected code, the code will be compiled by .net framework and eventually delivers to the dll and executable.


Figure 2: The exploit code

The exploit of this vulnerability is already in the wild. SonicWall IPS team has developed the following signatures to identify and stop the attacks:

  • IPS 12980: Microsoft .NET Framework Remote Code Execution (SEP 17) 1
  • IPS 12982: Microsoft .NET Framework Remote Code Execution (SEP 17) 2
  • IPS 12983: Microsoft .NET Framework Remote Code Execution (SEP 17) 3

Microsoft Security Bulletin Coverage for September 2017

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of September, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0161 NetBIOS Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11761 Microsoft Exchange Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11764 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-11766 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8567 Microsoft Office Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8597 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8628 Microsoft Bluetooth Driver Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8629 Microsoft SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8630 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8631 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8632 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8643 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8648 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8649 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8660 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8675 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8676 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8677 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8678 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8679 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8680 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8681 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8682 Win32k Graphics Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8683 Win32k Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8684 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8685 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8686 Windows DHCP Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8687 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8688 Windows GDI+ Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8692 Uniscribe Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8695 Graphics Component Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8696 Microsoft Graphics Component Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8699 Windows Shell Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8702 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8704 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8706 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8707 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8708 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8709 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8710 Windows Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8711 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8712 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8713 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8714 Remote Desktop Virtual Host Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8716 Windows Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8719 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8720 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8723 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8724 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8725 Microsoft Office Publisher Remote Code Execution
    There are no known exploits in the wild.
  • CVE-2017-8728 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8729 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8731 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8733 Internet Explorer Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8734 Microsoft Edge Memory Corruption Vulnerability
    ips:12977
     Microsoft Edge Memory Corruption Vulnerability (SEP 17) 1

  • CVE-2017-8735 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8736 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8737 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8738 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8739 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8740 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8741 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8742 PowerPoint Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8743 PowerPoint Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8744 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8745 Microsoft SharePoint Cross Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8746 Device Guard Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8747 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8748 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8749 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8750 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8751 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8752 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8753 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8754 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8755 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8756 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8757 Microsoft Edge Remote Code Execution Vulnerability
    ips:12978 Microsoft Edge Remote Code Execution Vulnerability (SEP 17) 1

  • CVE-2017-8758 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8759 .NET Framework Remote Code Execution Vulnerability
    ips:12980 .NET Framework Remote Code Execution Vulnerability (Sep 17)

  • CVE-2017-9417 Broadcom BCM43xx Remote Code Execution Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

  • CVE-2017-11281 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1572 Malformed-File mp4.MP.2

  • CVE-2017-11281 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1573 Malformed-File mp4.MP.3

  • CVE-2017-11282 Adobe Flash Player Memory Corruption Vulnerability 
    spy:1574 Malformed-File swf.MP.573