CVE-2017-8487
published 2017-06-15CVE-2017-8487: Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows…
PriorityP278high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.53%
99.1th percentile
Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft_corporation | microsoft_windows | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
4d 3c 2b 1a 00 00 02 00 ff ff ff ff 00 00 00 00 20 00 00 00 ff ff ff ff 01 00 00 00 02 00 00 00 33 00 44 00 45 00 53 00 00 00
- →Monitor for DeviceIoControl calls targeting \Device\KsecDD with IOCTL code 0x390400 and operation code 0x00020000 (bytes 4-7 of input buffer), which triggers uninitialized kernel pool memory disclosure. ↗
- →Flag processes opening \Device\KsecDD with FILE_READ_DATA | FILE_WRITE_DATA access via NtOpenFile outside of expected system processes, especially when followed immediately by a DeviceIoControl with IOCTL 0x390400. ↗
- →The CVE-2017-8487 vulnerability resides in olecnv32.dll on Windows XP and Windows Server 2003; monitor for suspicious loading or execution involving this DLL triggered by opening crafted files. ↗
- ·The exploit-db entry (42211) describes a KsecDD kernel pool memory disclosure bug, which is a different vulnerability from the olecnv32.dll RCE described in CVE-2017-8487. The two may have been cross-linked; validate source attribution before correlating IOCs. ↗
- ·CVE-2017-8487 affects only Windows XP and Windows Server 2003; IOCs and detections are only relevant on those end-of-life platforms. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84p6-78m2-238m: Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Wind
ghsa_unreviewed·2022-05-13
CVE-2017-8487 [HIGH] GHSA-84p6-78m2-238m: Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Wind
Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability."
VulnCheck
Windows olecnv32.dll Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-8487 [HIGH] Windows olecnv32.dll Remote Code Execution Vulnerability
Windows olecnv32.dll Remote Code Execution Vulnerability
Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.recordedfuture.com/blog/chinese-mss-vulnerability-influence
No detection rules found.
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update | Qualys
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
Qualys
Microsoft Fixes 94 Security Issues in Massive June Update
blogs_qualys·2017-06-13·CVSS 8.1
[HIGH] Microsoft Fixes 94 Security Issues in Massive June Update
Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Microsoft also released Security Advisory 4025685 which includes patches for older platforms due to heightened risk of exploitation. In my opinion this should be treated as a blue-print for future attacks and updates for EOL operating systems should be applied as soon as possible. Older platforms include Windows XP, Windows Server 2003, Vista and Windows 8 and older issues like MS08-067, MS09-050, MS10-061, MS14-068, MS17-010, MS17-013 are patched. Newer issues affecting older platforms like CV
Recorded Future
China's Influence on National Network Vulnerability Publications | Recorded Future
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications | Recorded Future
## China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
## Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated for their operational utility by the MSS before publica
Recorded Future
China's Influence on National Network Vulnerability Publications
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications
# China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
Click here to download the complete analysis as a PDF.
### Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated
http://www.securityfocus.com/bid/99013http://www.securitytracker.com/id/1038702https://support.microsoft.com/en-us/help/4025218/security-update-for-windows-xp-and-windows-server-2003https://www.exploit-db.com/exploits/42211/http://www.securityfocus.com/bid/99013http://www.securitytracker.com/id/1038702https://support.microsoft.com/en-us/help/4025218/security-update-for-windows-xp-and-windows-server-2003https://www.exploit-db.com/exploits/42211/
2017-06-15
Published
Exploited in the wild