cbcvebase.
CVE-2010-3333
published 2010-11-10

CVE-2010-3333: Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
89.50%
99.8th percentile
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

domainnewsumbrella[.]net
urlnewsumbrella[.]net/ne3s/lat3st/w0rld/systemupdateAPI[.]exe
urlnewsumbrella[.]net/ne3s/file[.]exe
hash76429f8515768f9f5def697e71071f51
hashd04ce934561934f758d77dfa944bd6743dd82cff
hash7757517ae6b4d513a57826f9ab65bd070d99d25ac526cfae3e9955c3c7cd457a
filenamesystemupdateAPI.exe
filenameWindowsSecurityService2.exe
filenameWindowsSecurityService3.exe
filenamecydll.dll
pathc:\system\screenshot.bmp
pathc:\system\camera.jpg
pathc:\system\audio.ogg
pathC:\Documents and Settings\<username>\Local Settings\temp\<random>.exe
registryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System Application" = c:\system\WindowsSecurityService[2 or 3].exe
hashe4dfcf3db512260e1a4ff414907610d5d5279143fa9ade9219d8691be02e512f
mutexFlag_Running
mutexDownload_Flag
mutexRunning_Flag
mutexFlag_Runnimg_2810
mutexFlag_Running_2016
mutexFlag_Running_2014RC4
path%USERPROFILE%\AppData\Roaming\EverNoteService\
snort
SID 21964
snort
SID 22095
snort
SID 22101
snort
SID 22102
  • Detect the CVE-2010-3333 RTF exploit payload via the malicious service's C2 beacon: look for HTTP GET requests containing custom headers 'Extra-Data-Bind', 'Extra-Data-Space', and 'Extra-Data' — the last carrying the initial compromise beacon.
  • Snort SIDs 22101 and 22102 directly detect the CVE-2010-3333 malicious RTF file; SIDs 21964 and 22095 detect the post-exploitation C2 beacon traffic from the dropped service (cydll.dll).
  • Rover establishes persistence via HKCU Run key with value name 'System Application' pointing to c:\system\WindowsSecurityService[2 or 3].exe — monitor this registry path for the specific value name.
  • Rover sends heartbeat HTTP traffic to 46.166.165.254 every 5 seconds and exfiltrates screenshots every 60 minutes and keylog data every 10 seconds — high-frequency periodic HTTP beaconing to this IP is a strong indicator.
  • Aoqin Dragon's Mongall backdoor can be identified by its four distinct mutex names: Flag_Running, Download_Flag, Running_Flag, Flag_Runnimg_2810, Flag_Running_2016, Flag_Running_2014RC4 — scan process memory or sandbox reports for these strings.
  • The CVE-2010-3333 exploit shellcode drops a randomly-named .exe into the user's Local Settings\temp directory — monitor for executable creation in that path immediately following Word/RTF document open events.
  • ·The Mongall backdoor's encoding/encryption algorithm varies by mutex version: Base64 (type 3) for Flag_Running/Download_Flag/Running_Flag, modified Base64 (type 2) for Flag_Runnimg_2810/Flag_Running_2016, and RC4+Base64 (type 1) for Flag_Running_2014RC4 — decryption scripts must handle all three variants.
  • ·The systemupdateAPI.exe downloader was no longer hosted on newsumbrella[.]net at time of analysis; the domain may rotate payloads under the same /ne3s/ parent directory path.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.