cbcvebase.
CVE-2017-8570
published 2017-07-11

CVE-2017-8570: Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-25
Exploited in the wild
EPSS
89.89%
99.8th percentile
Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftbusiness_productivity_servers
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftweb_applications
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_rt_service_pack_1
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016

Detection & IOCsextracted from sources · hover to see the quote

hasha112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35
hash7c01555ba4b3cbb68ec17c86ac2058664ad56f9f9803a9ffbf2706f0e0ad2f1c
hash9546c04cad4983b02adf6ed09a3c5674c0b1ae239883ae3d1b82b046ecee37a
ip192.166.218.230
urlhxxp://192[.]166[.]218[.]230:3550/logo[.]doc
urlhxxp://192[.]166[.]218[.]230:3550/ratman[.]exe
ip5.134.116.146
port3550
filenamelogo.doc
filenameRATMAN.EXE
pathppt/slides/_rels/slide1.xml.rels
  • The malicious PPSX file exploiting CVE-2017-8570 (actually CVE-2017-0199) triggers a script moniker embedded in ppt/slides/_rels/slide1.xml.rels; hunt for PPSX files containing script monikers in that relationship file path.
  • The exploit payload (logo.doc) is not a Word document but an XML file containing JavaScript that spawns PowerShell to download and execute RATMAN.EXE; detect PowerShell child processes spawned from PowerPoint (POWERPNT.EXE).
  • Patchwork group used PPSX files exploiting CVE-2017-8570 to download a malicious Windows Script Component (SCT) file from attacker-controlled servers and deliver xRAT malware; monitor for PPSX attachments that initiate outbound SCT/scriptlet downloads.
  • Agent Tesla campaigns leverage CVE-2017-8570 via specially-crafted Office documents; detect Office processes spawning unexpected child processes or network connections after opening .doc/.docx/.rtf files.
  • The PPSX exploit file displays the text 'CVE-2017-8570' as a decoy while actually exploiting CVE-2017-0199; this mislabeling is a toolkit artifact that can be used as a lure-content indicator in sandbox analysis.
  • ·The PPSX sample analyzed by Trend Micro displays 'CVE-2017-8570' as on-screen text but actually exploits CVE-2017-0199; IOCs from this sample (hashes, IPs, URLs) are associated with a CVE-2017-0199 exploit chain, not a pure CVE-2017-8570 chain.
  • ·The 192.166.218.230 IP is described as a VPN or hosting service abused by the attacker, meaning it may be shared infrastructure and not exclusively malicious.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.