top of page

Protect Your Systems: Understanding and Mitigating the CVE-2017-0199 Microsoft Office/WordPad Vulnerability

CVE Image for report on CVE-2017-0199

Executive Summary

CVE-2017-0199 is a critical remote code execution vulnerability in Microsoft Office and WordPad that allows attackers to execute arbitrary code via specially crafted documents. This vulnerability, also known as the "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API," has been actively exploited in the wild, posing significant risks to various sectors, including government, finance, and healthcare. The vulnerability affects multiple versions of Microsoft Office and Windows, making it imperative for organizations to understand the technical details, exploitation methods, and mitigation strategies to protect their systems.

Technical Information

CVE-2017-0199 exists due to improper handling of objects in memory by Microsoft Office and WordPad when parsing specially crafted files. An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current user. If the current user has administrative rights, the attacker could take control of the affected system. The vulnerability affects the following software versions: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8.1.

The vulnerability is rated with a CVSS v3.1 base score of 7.8 (High) and a CVSS v2.0 base score of 9.3 (High). The attack vector is local, with low attack complexity, no privileges required, and user interaction needed. The impact on confidentiality, integrity, and availability is high.

The exploitation process involves several steps. First, an HTA file (HTML Application) is created, which can run JScript and VBScript. This file contains a script to execute PowerShell commands. An example HTA content is as follows: ```html

Set owFrClN0giJ = CreateObject("Wscript.Shell") Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject") If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL" End If

``` Next, a simple RTF document is created using Microsoft Word with any random content. This document is then linked to the HTA file using OLEv2 (Object Linking and Embedding). The HTA and RTF files are hosted on a web server, and the Apache server is configured to serve the RTF file with the appropriate content type. The RTF document is modified to include a dynamic OLEv2 object link to the HTA file, and the content type of the HTA file is set to "application/hta" to ensure it is executed by the client. When the user opens the RTF document, the OLE object is updated through the link, and the HTA file is executed, resulting in the execution of the PowerShell commands.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. Attackers have been observed using malicious RTF documents to exploit this vulnerability. The attack typically involves the use of a Visual Basic script containing PowerShell commands, which are executed when the user opens the malicious document.

Notable exploits and attacks include the HTA Handler Exploitation, where attackers leveraged the HTA (HTML Application) handler to download and execute a Visual Basic script containing PowerShell commands. For more details, refer to the FireEye Blog. Another example is the analysis of malicious RTF documents exploiting CVE-2017-0199, which can be found on the NVISO Blog. Additionally, a practical exploitation and proof of concept for CVE-2017-0199 is available on the Rewtin Blog.

Indicators of Compromise (IOCs) include the presence of HTA files with embedded VBScript or JScript, RTF documents containing OLEv2 object links, unusual network traffic to web servers hosting HTA and RTF files, and the execution of PowerShell commands without user interaction.

APT Groups using this vulnerability

Several Advanced Persistent Threat (APT) groups have been observed exploiting CVE-2017-0199. These groups target various sectors, including government, finance, and healthcare, across different countries. Notable APT groups include APT28 (also known as Fancy Bear), which has been linked to cyber-espionage activities targeting government and military organizations. Another group, APT32 (also known as OceanLotus), has been known to target organizations in Southeast Asia, particularly in the government and private sectors. These groups leverage the vulnerability to gain initial access to systems, execute malicious payloads, and conduct further exploitation activities.

Affected Product Versions

The following product versions are affected by CVE-2017-0199: Microsoft Office 2007 SP3 Microsoft Office 2010 SP2 Microsoft Office 2013 SP1 Microsoft Office 2016 Microsoft Windows Vista SP2 Windows Server 2008 SP2 Windows 7 SP1 Windows 8.1

Workaround and Mitigation

To mitigate the risks associated with CVE-2017-0199, organizations should apply the following strategies:

Apply Patches: Microsoft has released patches to address this vulnerability. It is crucial to apply these patches to all affected systems. For more information, refer to the Microsoft Security Guidance.

Disable HTA Handler: Disabling the HTA handler can prevent the execution of malicious scripts via this vector.

Use Up-to-date Security Software: Ensure that security software is up-to-date to detect and block malicious documents exploiting this vulnerability.

Implement Network Segmentation: Segmenting the network can help contain the spread of malware and limit the impact of an exploit.

Educate Users: Train users to recognize phishing attempts and avoid opening suspicious documents from unknown sources.

References

For further reading and detailed technical analysis, refer to the following resources: NVD - CVE-2017-0199Microsoft Security GuidanceFireEye BlogNVISO BlogRewtin Blog

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring, detection, and mitigation strategies to protect your organization from vulnerabilities like CVE-2017-0199. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

4 views0 comments

Comments


bottom of page