CVE-2018-8311
published 2018-07-11CVE-2018-8311: A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka…
PriorityP259high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
16.62%
96.6th percentile
A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka "Remote Code Execution Vulnerability in Skype For Business and Lync." This affects Skype, Microsoft Lync.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_lync | — | — |
| microsoft | microsoft_lync | — | — |
| microsoft | skype | — | — |
| microsoft | skype | — | — |
| msrc | microsoft_lync_2013_service_pack_1 | — | — |
| msrc | skype_for_business_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect abuse of the FirefoxURL URI handler with injected arguments -MOZ_LOG and -MOZ_LOG_FILE on Windows, which enables arbitrary file write via command injection in the file path parameter. ↗
- →Monitor for Firefox process launches (from non-browser parent processes such as Microsoft Office/Outlook) with command-line arguments containing -MOZ_LOG_FILE combined with shell metacharacters (&, |, etc.). ↗
- →Alert on files written to the Windows Startup folder (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/) by Firefox or child processes spawned from Firefox, especially .bat files. ↗
- →Detect HTML attachments opened in Microsoft Outlook preview that contain firefoxurl: URI scheme links, as the exploit is delivered via .htm email attachment triggering the URI handler. ↗
- →Monitor for the -P argument combined with -MOZ_LOG and -MOZ_LOG_FILE in Firefox command lines, as the -P flag is used to make the exploit more reliable by forcing Firefox shutdown to flush the log payload. ↗
- ·The exploit payload requires knowledge of the victim's Windows username to construct the correct Startup folder path; generic payloads using %APPDATA% do not work for this vulnerability. ↗
- ·The exploit is not reliable against Firefox 68+ without the -P argument; without it, the user may need to manually kill Firefox for the payload to be written to the Startup folder. ↗
- ·Major browsers (Chrome, Firefox itself) encode special characters in URLs (e.g. " becomes %22), preventing exploitation when the link is opened directly in a browser; the attack vector requires a Windows application that does not encode custom URI schemes, such as Microsoft Office. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Remote Code Execution Vulnerability in Skype For Business and Lync
vendor_msrc·2018-07-10·CVSS 8.8
CVE-2018-8311 [HIGH] Remote Code Execution Vulnerability in Skype For Business and Lync
Remote Code Execution Vulnerability in Skype For Business and Lync
Description: A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit the
GHSA
GHSA-v5v7-qp5p-hxjg: A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, a
ghsa_unreviewed·2022-05-14
CVE-2018-8311 [HIGH] CWE-20 GHSA-v5v7-qp5p-hxjg: A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, a
A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka "Remote Code Execution Vulnerability in Skype For Business and Lync." This affects Skype, Microsoft Lync.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - July 2018
blogs_talos·2018-07-10·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - July 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
In addition to the 53 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180017, which addresses the vulnerabilities described in the Adobe security bulletin APSB18-24.
## Critical vulnerabilitiesThis month, Microsoft is addressing 17 vulnerabilities that are rated as critical:
CVE-2018-8242 - Scripting Engine Memory Corruption Vulnerability
CVE-2018-
Talos
Microsoft Patch Tuesday - July 2018
blogs_talos·2018-07-10·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - July 2018
## Microsoft Patch Tuesday - July 2018
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
In addition to the 53 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180017 , which addresses the vulnerabilities described in the Adobe security bulletin APSB18-24 .
## Critical vulnerabilities This month, Microsoft is addressing 17 vulnerabilities that are rated as critical:
CVE-2018-8242 - Scripting Engin
Bugzilla
URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
bugzilla·2019-08-09
[MEDIUM] URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
Created attachment 9084402
PoC html file
The following email received from [email protected]
-------- Forwarded Message --------
Subject: Fwd: iDefense Vendor Notification - [V-bsk2ottbf1]
Date: Fri, 9 Aug 2019 17:51:29 +0000
From: Vendor Disclosure
To: [email protected]
CC: Vendor Disclosure
Please find the attached report and PoC for this issue.
Thanks,
Rohit Mothe
iDefense Labs
-------- Forwarded Message --------
Subject: iDefense Vendor Notification - [V-bsk2ottbf1]
Date: Fri, 9 Aug 2019 17:48:58 +0000
From: [email protected]
Reply-To: [email protected]
To: [email protected]
iDefense has identified a vulnerability. This vulnerability was submitted to iDefense through
http://www.securityfocus.com/bid/104624http://www.securitytracker.com/id/1041259http://www.securitytracker.com/id/1041260https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8311http://www.securityfocus.com/bid/104624http://www.securitytracker.com/id/1041259http://www.securitytracker.com/id/1041260https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8311
2018-07-11
Published