cbcvebase.
CVE-2017-0100
published 2017-03-17

CVE-2017-0100: A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10…

PriorityP349high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.96%
91.1th percentile
A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows local users to gain privileges via a crafted application, aka "Windows HelpPane Elevation of Privilege Vulnerability."

Affected

21 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_helppane
msrcwindows_10_for_32-bit_systems
msrcwindows_10_for_x64-based_systems
msrcwindows_10_version_1511_for_32-bit_systems
msrcwindows_10_version_1511_for_x64-based_systems
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_8.1_for_32-bit_systems
msrcwindows_8.1_for_x64-based_systems
msrcwindows_rt_8.1
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

filenameHelppane.exe
otherCLSID: 8cec58ae-07a1-11d9-b15e-000d56bfe6ee (HxHelpPaneServer CoClass)
otherIID: 8cec592c-07a1-11d9-b15e-000d56bfe6ee (IHxHelpPaneServer Interface)
commandsession:{SESSION_ID}!new:8cec58ae-07a1-11d9-b15e-000d56bfe6ee
  • Monitor for COM/DCOM activation requests using the Session Moniker pattern ('session:N!new:') targeting CLSID 8cec58ae-07a1-11d9-b15e-000d56bfe6ee (HxHelpPaneServer) from non-administrative user processes.
  • Alert on Helppane.exe spawning child processes (e.g. notepad.exe or arbitrary executables) in a session different from the calling user's session, which indicates abuse of the IHxHelpPaneServer::Execute method.
  • ·Exploitation requires at least two interactive user sessions on the same machine (e.g. Terminal Services or Fast User Switching); single-session environments are not directly exploitable via this path.
  • ·Session 0 (service session) cannot be targeted, limiting the attack to interactive user sessions only.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.