cbcvebase.
CVE-2017-11885
published 2017-12-12

CVE-2017-11885: Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows…

PriorityP357medium6.6CVSS 3.0
AVNACHPRHUINSUCHIHAH
EXPLOIT
EPSS
45.52%
98.6th percentile
Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allow a remote code execution vulnerability due to the way the Routing and Remote Access service handles requests, aka "Windows RRAS Service Remote Code Execution Vulnerability".

Affected

22 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoftwindows_server_2016
microsoft_corporationmicrosoft_windows
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_version_1709

Detection & IOCsextracted from sources · hover to see the quote

port445
otherRRAS DCE-RPC endpoint UUID: 8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0
commanddce.call(0x1e, stub)
snort
alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, cve CVE_2017_11885, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|
  • Detect exploit traffic targeting TCP/445 carrying the RRAS RPC stub NDR payload — match the specific byte sequence beginning with 0x21000000 (dwPid=PID_IP) followed by the MIB_OPAQUE_QUERY structure fields and the pointer gadget 0xad0b2d06.
  • Monitor for DCE-RPC bind requests to RRAS endpoint UUID 8f09f000-b7ed-11ce-bbd2-00001a181cad over the \pipe\browser named pipe, especially opnum 0x1e (MIBEntryGetFirst) with oversized rgdwVarIndex fields.
  • Systems with Routing and Remote Access Service (RRAS) enabled are the exclusive attack surface; audit and alert on RRAS service state changes or unexpected RRAS process network activity.
  • ·Disabling RRAS on systems that do not require it fully mitigates the vulnerability, as the attack vector requires RRAS to be enabled.

CVSS provenance

nvdv3.06.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vendor_msrc6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.