cbcvebase.
CVE-2015-1770
published 2015-06-10

CVE-2015-1770: Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Uninitialized…

PriorityP183high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
35.10%
98.2th percentile
Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Uninitialized Memory Use Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

otherCDDBCC7C-BE18-4A58-9CBF-D62A012272CE
hash7ff9ff29b79d0eb38813bfa0b0bb1c5b116d1f9e5468ae52674bb443468658d9
hash7f29f2dc8b60c0e5a22575d9c76fd9c3d39604d1acf5cb4d938a63095c61a72e
hashfe80d59686806afe3dc48f73d54b577558a7c871da17d08d937c5d7b3564e07b
hash70ea7ef3bf9966c3297a4e78024e3083013558670d051c2ca3095e2588a576d8
path%AppData%\Roaming\warriors.dat
bytes
HeapSpray of 0xCC byte with series of 0x08 and 0x41 marker bytes (CVE-2015-1770 ActiveX exploit structure)
  • Look for ActiveX CLSID CDDBCC7C-BE18-4A58-9CBF-D62A012272CE in RTF/Office documents; its presence triggers loading of OSF.DLL and is the activation vector for CVE-2015-1770.
  • The CVE-2015-1770 exploit is embedded in OLE objects within weaponized RTF documents; specifically in activeX39.xml and activeX40.xml inside the word/activex directory of the embedded ZIP.
  • The CVE-2015-1770 exploit ActiveX binary uses a heap spray of 0xCC bytes followed by 0x08/0x41 marker bytes before stage 1 shellcode; scan memory or file content for this pattern in Office ActiveX binaries.
  • ·Exploitation of CVE-2015-1770 via the hard-coded ROP gadget addresses and heap spray fails on 64-bit Office installations because msvcr71.dll is not present in the Office15 native add-ons folder on 64-bit systems.
  • ·Analysis of the exploitation root cause was ongoing at time of publication; multiple researchers suggested differing vulnerabilities and conclusive attribution of the exact code path was lacking.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.