CVE-2018-0824
published 2018-05-09CVE-2018-0824: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows…
PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-26
Exploited in the wild
EPSS
73.47%
99.4th percentile
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_version_1709 | — | — |
| msrc | windows_server_version_1803 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →APT41 used a tailored loader to inject a CVE-2018-0824 PoC (UnmarshalPwn) directly into memory for local privilege escalation — hunt for in-memory injection of COM deserialization exploit code rather than on-disk PoC binaries. ↗
- →The exploit tool used to trigger CVE-2018-0824 is named 'UnmarshalPwn' — alert on process creation or file presence of this tool name. ↗
- →The Cobalt Strike loader is based on the open-source anti-AV project 'CS-Avoid-Killing' hosted on GitHub and written in Simplified Chinese — hunt for GoLang-compiled Cobalt Strike loaders with embedded Simplified Chinese strings. ↗
- →Talos released ClamAV signatures and Snort rules specifically to detect ShadowPad malware and Cobalt Strike beacons used by APT41 in this campaign — ensure these are deployed. ↗
- →The Metasploit post-exploitation module 'post/windows/escalate/unmarshal_cmd_exec' exploits CVE-2018-0824 — monitor for this module's execution artifacts on Windows endpoints. ↗
- ·The hashes listed in the Talos newsletter are from general weekly telemetry (Coinminer, PUA droppers, KMSAuto, Scar dropper) and are NOT directly attributed to CVE-2018-0824 exploitation — treat them as co-occurring campaign IOCs, not exploit-specific indicators. ↗
- ·The C2 IP 103.56.114[.]69 was originally reported by Symantec in an April 2022 campaign; its reuse in the 2023 campaign is noted but infrastructure may have changed hands — validate before blocking. ↗
- ·The domain www.nss.com[.]tw is described as a 'compromised' legitimate C2 server, not attacker-owned infrastructure — blocking it may affect legitimate traffic to the original site owner. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
cisa·2024-08-05·CVSS 8.8
CVE-2018-0824 [HIGH] CWE-502 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
Vulnerability: Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
Affected: Microsoft Windows
Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2018-0824; https://nvd.nist.gov/vuln/detail/CVE-2018-0824
Remediation Due Date: 2024-08-26
Microsoft
Microsoft COM for Windows Remote Code Execution Vulnerability
vendor_msrc·2018-05-08·CVSS 7.5
CVE-2018-0824 [HIGH] Microsoft COM for Windows Remote Code Execution Vulnerability
Microsoft COM for Windows Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects.
An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website
GHSA
GHSA-6w8g-777w-9mcc: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM fo
ghsa_unreviewed·2022-05-14
CVE-2018-0824 [HIGH] CWE-502 GHSA-6w8g-777w-9mcc: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM fo
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
VulnCheck
Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-0824 [HIGH] CWE-502 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cyfirma.com/research/apt-quarterly-highlights-q3-2024/; https://www.enisa.europa.eu/sites/default
No detection rules found.
Exploit-DB
Microsoft COM for Windows - Privilege Escalation
exploitdb·2018-06-18·CVSS 8.8
CVE-2018-0824 [HIGH] Microsoft COM for Windows - Privilege Escalation
Microsoft COM for Windows - Privilege Escalation
---
Writeup: https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html
In May 2018 Microsoft patched an interesting vulnerability (CVE-2018-0824) which was reported by Nicolas Joly of Microsoft's MSRC:
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user
Metasploit
Windows unmarshal post exploitation
metasploit
Windows unmarshal post exploitation
Windows unmarshal post exploitation
This module exploits a local privilege escalation bug which exists in Microsoft COM for Windows when it fails to properly handle serialized objects.
Talos
There is no real fix to the security issues recently found in GitHub and other similar software
blogs_talos·2024-08-01
There is no real fix to the security issues recently found in GitHub and other similar software
## There is no real fix to the security issues recently found in GitHub and other similar software
A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category.
Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub.
This may not necessarily even be a *new* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle
Talos
There is no real fix to the security issues recently found in GitHub and other similar software
blogs_talos·2024-08-01
There is no real fix to the security issues recently found in GitHub and other similar software
A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category.
Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub.
This may not necessarily even be a *new* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account,
Talos
APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
blogs_talos·2024-08-01·CVSS 8.8
[HIGH] APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
## APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
The activity conducted on the victim endpoint matches the hacking group APT41 , alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
The ShadowPad malware used in the current campaign exploited an outdated vulnerable
Talos
APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
blogs_talos·2024-08-01·CVSS 8.8
[HIGH] APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
- Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
- The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
- The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching th
Talos
Microsoft Patch Tuesday - May 2018
blogs_talos·2018-05-08·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - May 2018
Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 67 new vulnerabilities, with 21 of them rated critical, 42 of them rated important, and four rated as low severity. These vulnerabilities impact Outlook, Office, Exchange, Edge, Internet Explorer and more.
In addition to the 67 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180008, which addresses the vulnerability CVE-2018-4944 described in the Adobe security bulletin APSB18-16.
### Critical Vulnerabilities
This month, Microsoft is addressing 21 vulnerabilities that are rated as critical. Talos believes one of these is notable and requires prompt attenti
Talos
Microsoft Patch Tuesday - May 2018
blogs_talos·2018-05-08·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - May 2018
## Microsoft Patch Tuesday - May 2018
Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 67 new vulnerabilities, with 21 of them rated critical, 42 of them rated important, and four rated as low severity. These vulnerabilities impact Outlook, Office, Exchange, Edge, Internet Explorer and more.
In addition to the 67 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180008 , which addresses the vulnerability CVE-2018-4944 described in the Adobe security bulletin APSB18-16 .
## Critical Vulnerabilities
This month, Microsoft is addressing 21 vulnerabilities that are rated as critical. Talos believes one of thes
http://www.securityfocus.com/bid/104030http://www.securitytracker.com/id/1040848https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824https://www.exploit-db.com/exploits/44906/http://www.securityfocus.com/bid/104030http://www.securitytracker.com/id/1040848https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824https://www.exploit-db.com/exploits/44906/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0824
2018-05-09
Published
2024-08-05
Added to CISA KEV
Exploited in the wild