cbcvebase.
CVE-2018-8311
published 2018-07-11

CVE-2018-8311: A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka…

PriorityP259high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
16.62%
96.6th percentile
A remote code execution vulnerability exists when Skype for Business and Microsoft Lync clients fail to properly sanitize specially crafted content, aka "Remote Code Execution Vulnerability in Skype For Business and Lync." This affects Skype, Microsoft Lync.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_lync
microsoftmicrosoft_lync
microsoftskype
microsoftskype
msrcmicrosoft_lync_2013_service_pack_1
msrcskype_for_business_2016

Detection & IOCsextracted from sources · hover to see the quote

domainpoc.mm2.in
pathC:/Users/IEUser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/
filenamez.bat
otherfirefoxurl-308046b0af4a39cb:
  • Detect abuse of the FirefoxURL URI handler with injected arguments -MOZ_LOG and -MOZ_LOG_FILE on Windows, which enables arbitrary file write via command injection in the file path parameter.
  • Monitor for Firefox process launches (from non-browser parent processes such as Microsoft Office/Outlook) with command-line arguments containing -MOZ_LOG_FILE combined with shell metacharacters (&, |, etc.).
  • Alert on files written to the Windows Startup folder (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/) by Firefox or child processes spawned from Firefox, especially .bat files.
  • Detect HTML attachments opened in Microsoft Outlook preview that contain firefoxurl: URI scheme links, as the exploit is delivered via .htm email attachment triggering the URI handler.
  • Monitor for the -P argument combined with -MOZ_LOG and -MOZ_LOG_FILE in Firefox command lines, as the -P flag is used to make the exploit more reliable by forcing Firefox shutdown to flush the log payload.
  • ·The exploit payload requires knowledge of the victim's Windows username to construct the correct Startup folder path; generic payloads using %APPDATA% do not work for this vulnerability.
  • ·The exploit is not reliable against Firefox 68+ without the -P argument; without it, the user may need to manually kill Firefox for the payload to be written to the Startup folder.
  • ·Major browsers (Chrome, Firefox itself) encode special characters in URLs (e.g. " becomes %22), preventing exploitation when the link is opened directly in a browser; the attack vector requires a Windows application that does not encode custom URI schemes, such as Microsoft Office.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.