cbcvebase.
CVE-2017-0088
published 2017-03-17

CVE-2017-0088: Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted…

PriorityP272high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
41.87%
98.5th percentile
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Uniscribe Remote Code Execution Vulnerability."

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_uniscribe
microsoft_corporationwindows_uniscribe
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41651.zip
processUSP10!ttoGetTableData+0xc4e
  • Crash occurs in USP10!ttoGetTableData (heap buffer overflow) when processing a specially crafted/corrupted font file via Windows Uniscribe; monitor for access violation (code c0000005) originating from USP10.dll call stack involving ttoGetTableData, LoadTTOArabicShapeTables, LoadArabicShapeTables, ArabicSimpleLoadTbl, ArabicLoadTbl, UpdateCache, ScriptCheckCache
  • Exploitation can occur via a web-based attack (user visits attacker-controlled website) or via a malicious document file attachment; monitor for USP10.dll/LPK.dll processing triggered from browser or document viewer processes
  • The heap overflow write occurs at the boundary of a heap allocation (UserSize 0x48 bytes); enabling PageHeap (Application Verifier) on USP10.dll will reliably surface the crash for detection/testing
  • Call stack pivot point: USP10!ScriptStringAnalyse -> USP10!ScriptStringAnalyzeGlyphs -> USP10!RenderItem -> USP10!RenderItemWithFallback -> USP10!RenderItemNoFallback -> USP10!GetShapeFunction -> USP10!ScriptCheckCache -> USP10!UpdateCache -> USP10!ArabicLoadTbl -> USP10!ArabicSimpleLoadTbl -> USP10!LoadArabicShapeTables -> USP10!LoadTTOArabicShapeTables -> USP10!ttoGetTableData; alert on this chain in crash telemetry or ETW
  • ·Exploit requires user interaction; attacker cannot force victims to visit the malicious site or open the malicious document — social engineering (phishing link or email attachment) is required
  • ·Reproducing the crash with the provided PoC samples may require a custom program that renders all font glyphs at various point sizes; standard font preview may not trigger the vulnerability
  • ·Exploit status at time of patch: publicly disclosed=No, exploited in the wild=No, older software release rated Exploitation Less Likely

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.