cbcvebase.
CVE-2015-2467
published 2015-08-15

CVE-2015-2467: Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.69%
97.8th percentile
Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

filename1567070353_min.doc
filename1567070353_crash.doc
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37913.zip
  • The vulnerability is a Use-After-Free in mso.dll (version 12.0.6721.5000) triggered during parsing of a crafted .doc file. The crash occurs at mso!Ordinal2690+0x457 (EIP 32fbca76) when dereferencing freed heap memory via EDI register.
  • The malicious .doc file contains 2-bit changes from the original at file offsets 0x11E60 and 0x1515F. These offsets can be used as a byte-level signature to identify the minimized PoC document.
  • The crash call stack involves mso!Ordinal2690 and wwlib!wdCommandDispatch. Monitor for abnormal call chains originating from these ordinals in mso.dll and wwlib.dll when processing Word documents.
  • The free of the exploited heap block is performed by mso!Ordinal1743, mso!MsoFreePv, mso!Ordinal519, mso!Ordinal320, and mso!Ordinal379. Heap spray or use-after-free detection on these ordinals in mso.dll version 12.0.6721.5000 may identify exploitation attempts.
  • Exploitation targets Microsoft Office 2007 SP3 (mso.dll 12.0.6721.5000, wwlib.dll 12.0.6720.5000) on Windows 2003 x86. The vulnerability does not reproduce in Office 2010 on Windows 7 x86, helping scope detection to legacy environments.
  • ·The PoC crash was only reproducible with Microsoft Office File Validation Add-In disabled. Environments with this add-in enabled may not trigger the vulnerability under the same conditions.
  • ·The vulnerability does not reproduce in Office 2010 on Windows 7 x86; detection and patching efforts should be scoped to Office 2007 SP3 on Windows 2003 x86 environments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.