cbcvebase.
CVE-2017-12824
published 2017-11-08

CVE-2017-12824: Special crafted InPage document leads to arbitrary code execution in InPage reader.

PriorityP274high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.50%
71.0th percentile
Special crafted InPage document leads to arbitrary code execution in InPage reader.

Affected

1 ranges
VendorProductVersion rangeFixed in
inpageinpage_reader

Detection & IOCsextracted from sources · hover to see the quote

hashf00e20ec50545106dc012b5f077954ae
hash729194d71ed65dd1fe9462c212c32159
hashc9e7ec899142477146d4f7f83df3f63f
hash750ed4f79496dee1d624a7b508f83f4e
hashB43aa5ea4ff5292fd92d416bb2b41c3a
hash4d508e44c5f3028a36a5206383cf235c
hash53c3503d3193bf14a93dc3ac24829490
hash5a9a8502b87ce1a6a608debd10761957
hash18a5194a4254cefe8644d191cb96da21
ip195.189.227.26
port8080
domainvisitorzilla.com
domainrelaybg.com
domainb4invite.com
domainleastinfo.com
domaintropicmig.com
domaindigivx.com
domaingigatrons.com
domainkinohata.ru
domainambicluster.com
domainaliasway.com
domainxynoder.com
domainby4mode.com
domainstringbit.com
domainencrypzi.com
domaingigsense.com
domaini3mode.com
domainpikrpro.eu
pathC:\Documents and Settings\\Application Data\DataBackup\sed.ic
  • Detect exploit via presence of shellcode inside a Microsoft Compound Storage (OLE) file with .inp extension — Kaspersky generic rule fires on this pattern
  • Detect shellcode decoder stage by looking for FLDPI + FSTENV instruction sequences followed by NOT + XOR 0xAC decryption loop inside inpage.exe process memory
  • Flag outbound connections from inpage.exe or its child processes to port 8080, particularly to 195.189.227.26, as C2 communication by the dropped VB6 Trojan payload
  • Kaspersky detection name HEUR:Exploit.Win32.Generic can be used as a cross-vendor hunt/correlation tag for this exploit family
  • ·aliasway.com is sinkholed by Kaspersky Lab — traffic to this domain reflects sinkhole telemetry, not live C2 activity

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.