cbcvebase.
CVE-2015-0065
published 2015-02-11

CVE-2015-0065: Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.33%
98.0th percentile
Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "OneTableDocumentStream Remote Code Execution Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftword

Detection & IOCsextracted from sources · hover to see the quote

filename037542f7_crash.rtf
filename037542f7_orig.doc
filename037542f7_full.doc
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip
  • Crash occurs in mso!Ordinal7799+0x2fc due to invalid read dereference of a bad object pointer originating from OneTableDocumentStream's data section; monitor for access violations in mso.dll triggered by Word document parsing.
  • The bad object pointer is passed from wwlib.dll into MSO.dll; inspect the second argument of the function at 328A0A16 in MSO.dll 12.0.6683.5000 for anomalous pointer values.
  • Malicious manipulation targets the OneTableDocumentStream data section, PlcfSed's aCP[0] field, and PNFKPPAPX[44]'s pn field within the Word document binary structure; inspect these fields in .doc/.rtf files for anomalous values.
  • A copy operation at 3126A36C in wwlib.dll 12.0.6707.5000 copies invalid data from the OneTableDocumentStream into a stack buffer, leading to a stack-based bad object pointer; this is the root copy gadget to monitor.
  • Full register control PoC uses 0xAAAAAAAA as the controlled crashing register value; detections should flag Word processes crashing with EIP/call target of 0xAAAAAAAA as indicative of active exploitation.
  • ·Vulnerability is specific to Microsoft Word 2007 SP3 (wwlib.dll 12.0.6707.5000, MSO.dll 12.0.6683.5000); IOCs and offsets are only valid for these exact module versions.
  • ·Reproduction confirmed on Windows Server 2003 and Windows 7; behavior on other platforms is not documented in the source.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.