cbcvebase.
CVE-2017-0261
published 2017-05-12

CVE-2017-0261: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
78.13%
99.5th percentile
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice_online_server
microsoftoffice_web_apps
microsoftoffice_web_apps
microsoftproject_server
microsoftsharepoint_foundation
microsoftsharepoint_server
microsoftsharepoint_server
microsoftsharepoint_server
microsoftskype_for_business
microsoftword
microsoft_corporationmicrosoft_office
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016

Detection & IOCsextracted from sources · hover to see the quote

hasha67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1
hash07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd
hashb8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571
hashd486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2
hashfd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4
hash290ac98de80154705794e96d0c6d657c948b7dff7abf25ea817585e4c923adb2
hash79ad2084b057847ce2ec2e48fda64073
path%PROGRAMDATA%\Microsoft\DeviceSync\VMwareCplLauncher.exe
path%PROGRAMDATA%\Microsoft\DeviceSync\vmtools.dll
path%PROGRAMDATA%\Microsoft\DeviceSync\MSBuild.exe
filename9PT568.dat
filenameTPX498.dat
filenameedg499.dat
filenameTPX499.dat
filenameadbFle.tmp
urlhxxp://feeds.rapidfeeds[.]com/88604/
ip185.203.118[.]115
url//e3e7e71a0b28b5e96cc492e636722f73//4sVKAOvu3D//ABDYot0NxyG.php
url\e3e7e71a0b28b5e96cc492e636722f73\4sVKAOvu3D\UYEfgEpXAOE.php
  • BADNEWS drops three files via EPS shellcode into %PROGRAMDATA%\Microsoft\DeviceSync\: VMwareCplLauncher.exe (legitimate signed VMware binary), vmtools.dll (malicious sideload DLL), and MSBuild.exe (BADNEWS payload renamed). Detect the presence of vmtools.dll in this non-standard path.
  • BADNEWS creates a scheduled task named 'BaiduUpdateTask1' that runs the malicious MSBuild.exe every minute. Hunt for scheduled tasks with this name.
  • BADNEWS C2 beacon strings contain the pattern 'uuid=...#un=...#cn=...#on=...#lan=...#nop=#ver=1.0'. Monitor HTTP POST traffic for this beacon format.
  • BADNEWS hardcoded C2 URI paths contain the distinctive string 'e3e7e71a0b28b5e96cc492e636722f73' and '4sVKAOvu3D'. Detect HTTP requests containing these path components.
  • BADNEWS uses DLL side-loading: VMwareCplLauncher.exe (legitimate VMware binary) loads malicious vmtools.dll from the same directory. Alert on VMwareCplLauncher.exe executing outside of standard VMware installation paths.
  • ·The C2 IP (185.203.118[.]115) is derived from decrypting dead drop resolver content using a four-step process (Base64 → cipher → Base64 → Blowfish with static key). The IP may rotate as the dead drop content is updated by the attacker.
  • ·The dead drop resolver URL (feeds.rapidfeeds[.]com/88604/) is a legitimate third-party service abused to host encoded C2 information; blocking it may cause false positives for legitimate users of the service.
  • ·Older Patchwork documents exploited CVE-2017-0261, but newer documents (late January 2018) shifted back to CVE-2015-2545. The BADNEWS payload and IOCs are shared across both exploit vectors.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.