Executive Summary

Summary
Title Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability
Informations
Name VU#101048 First vendor Publication 2017-09-13
Vendor VU-CERT Last vendor Modification 2017-09-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#101048

Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability

Original Release date: 13 Sep 2017 | Last revised: 16 Sep 2017

Overview

The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.

This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.

Impact

By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.

Solution

Apply an update

This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability

Enable Protected View for RTF documents in Microsoft Word

Exploits in the wild utilize RTF documents. These public exploits are blocked if Protected Mode is enabled for RTF documents in Microsoft Word. Refer to File Block Settings in the Microsoft Office Trust Center. For example, the following registry values can be used to block the opening of RTF documents in Word 2016:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]
"RtfFiles"=dword:00000002

For other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-13 Sep 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.5E:H/RL:OF/RC:C
Environmental6.5CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759

Credit

This issue was discovered by Genwei Jiang and Dhanesh Kizhakkinan of FireEye, Inc.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2017-8759
  • Date Public:12 Sep 2017
  • Date First Published:13 Sep 2017
  • Date Last Updated:16 Sep 2017
  • Document Revision:25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/101048

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8

Snort® IPS/IDS

Date Description
2017-10-17 RTF WSDL file download attempt
RuleID : 44372 - Revision : 2 - Type : FILE-OFFICE
2017-10-17 RTF WSDL file download attempt
RuleID : 44371 - Revision : 2 - Type : FILE-OFFICE
2017-10-12 WSDL soap endpoint location code injection attempt
RuleID : 44354 - Revision : 2 - Type : FILE-OTHER
2017-10-12 WSDL soap endpoint location code injection attempt
RuleID : 44353 - Revision : 2 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-11-03 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038781.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038777.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038782.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038783.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038788.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038792.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_4038799.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host has a software framework installed that is affected b...
File : smb_nt_ms17_sep_4041083.nasl - Type : ACT_GATHER_INFO
2017-09-12 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_sep_win2008.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2017-09-22 00:25:54
  • Multiple Updates
2017-09-16 17:22:31
  • Multiple Updates
2017-09-14 17:22:39
  • Multiple Updates
2017-09-13 21:22:51
  • First insertion