CVE-2017-12824
published 2017-11-08CVE-2017-12824: Special crafted InPage document leads to arbitrary code execution in InPage reader.
PriorityP274high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.50%
71.0th percentile
Special crafted InPage document leads to arbitrary code execution in InPage reader.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inpage | inpage_reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit via presence of shellcode inside a Microsoft Compound Storage (OLE) file with .inp extension — Kaspersky generic rule fires on this pattern ↗
- →Detect shellcode decoder stage by looking for FLDPI + FSTENV instruction sequences followed by NOT + XOR 0xAC decryption loop inside inpage.exe process memory ↗
- →Flag outbound connections from inpage.exe or its child processes to port 8080, particularly to 195.189.227.26, as C2 communication by the dropped VB6 Trojan payload ↗
- →Kaspersky detection name HEUR:Exploit.Win32.Generic can be used as a cross-vendor hunt/correlation tag for this exploit family ↗
- ·aliasway.com is sinkholed by Kaspersky Lab — traffic to this domain reflects sinkhole telemetry, not live C2 activity ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33p5-6c3v-v29v: Special crafted InPage document leads to arbitrary code execution in InPage reader
ghsa_unreviewed·2022-05-14
CVE-2017-12824 [HIGH] CWE-119 GHSA-33p5-6c3v-v29v: Special crafted InPage document leads to arbitrary code execution in InPage reader
Special crafted InPage document leads to arbitrary code execution in InPage reader.
VulnCheck
inpage inpage Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2017·CVSS 7.8
CVE-2017-12824 [HIGH] inpage inpage Improper Restriction of Operations within the Bounds of a Memory Buffer
inpage inpage Improper Restriction of Operations within the Bounds of a Memory Buffer
Special crafted InPage document leads to arbitrary code execution in InPage reader.
Affected: inpage inpage
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://decoded.avast.io/threatresearch/avast-q3-2022-threat-report/; https://mp.weixin.qq.com/s/F2ZgjW_d3jbTpzz37Pj9PA
No detection rules found.
No public exploits indexed.
Trendmicro
Bahamut, Confucius and Patchwork Connected to Urpage
blogs_trendmicro·2018-08-29
Bahamut, Confucius and Patchwork Connected to Urpage
APT & Targeted Attacks
## Bahamut, Confucius and Patchwork Connected to Urpage
We dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”
By: Daniel Lunghi, Ecular Xu 2018/08/29 Read time: ( words)
Save to Folio
In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius , Patchwork , and another threat actor called Bahamut . For the sake of this report, we will call this
Trendmicro
Bahamut, Confucius and Patchwork Connected to Urpage
blogs_trendmicro·2018-08-29
Bahamut, Confucius and Patchwork Connected to Urpage
APT & Targeted Attacks
# Bahamut, Confucius and Patchwork Connected to Urpage
We dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”
By: Daniel Lunghi, Ecular Xu
2018/08/29
Read time: ( words)
Save to Folio
In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and another threat actor called Bahamut. For the sake of this report, we will call this unn
Trendmicro
Bahamut, Confucius and Patchwork Connected to Urpage
blogs_trendmicro·2018-08-29
Bahamut, Confucius and Patchwork Connected to Urpage
APT y ataques dirigidos
## Bahamut, Confucius and Patchwork Connected to Urpage
We dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”
By: Daniel Lunghi, Ecular Xu Aug 29, 2018 Read time: ( words)
Save to Folio
In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius , Patchwork , and another threat actor called Bahamut . For the sake of this report, we will call th
Trendmicro
Bahamut, Confucius and Patchwork Connected to Urpage
blogs_trendmicro·2018-08-29
Bahamut, Confucius and Patchwork Connected to Urpage
APT & Targeted Attacks
## Bahamut, Confucius and Patchwork Connected to Urpage
We dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”
By: Daniel Lunghi, Ecular Xu Aug 29, 2018 Read time: ( words)
Save to Folio
In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius , Patchwork , and another threat actor called Bahamut . For the sake of this report, we will call thi
Trendmicro
Bahamut, Confucius and Patchwork Connected to Urpage
blogs_trendmicro·2018-08-29
Bahamut, Confucius and Patchwork Connected to Urpage
APT und gezielte Angriffe
## Bahamut, Confucius and Patchwork Connected to Urpage
We dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”
By: Daniel Lunghi, Ecular Xu Aug 29, 2018 Read time: ( words)
Save to Folio
In the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors work behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius , Patchwork , and another threat actor called Bahamut . For the sake of this report, we will call
Securelist
InPage zero-day exploit used to attack financial institutions in Asia
blogs_securelist·2016-11-23·CVSS 8.8
[HIGH] InPage zero-day exploit used to attack financial institutions in Asia
Table of Contents
Discovery and analysis
Technical details
Inside weaponized documents
Victims
Conclusions
Indicators of compromise:
Hashes
C&Cs used in the samples dropped by the weaponized InPage documents:
Authors
Denis Legezo
In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document.
Securelist
InPage zero-day exploit used to attack financial institutions in Asia
blogs_securelist·2016-11-23·CVSS 8.8
CVE-2012-0158 [HIGH] InPage zero-day exploit used to attack financial institutions in Asia
Table of Contents
- Discovery and analysis
- Technical details
- Inside weaponized documents
- Victims
- Conclusions
- Indicators of compromise:
Authors
- Denis Legezo
In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document. InPage, in case you are wondering, is publishing and text processing
2017-11-08
Published
Exploited in the wild