[CVE-2017-0199]: Microsoft Office and WordPad Remote Code Execution Vulnerability

Severe vulnerability in MicrosoftS Office Suites, enabling remote code execution to the targeted victim machines.

Severe vulnerability in MicrosoftS Office Suites, enabling remote code execution to the targeted victim machines.

Thursday, 30 May, 2024

CVE Vulnerability
CVE Vulnerability
CVE Vulnerability

CVE-2017-0199 designates a critical security flaw affecting Microsoft Office and WordPad, enabling remote code execution. Exploiting this vulnerability involves opening a maliciously crafted RTF or Word document containing an embedded ActiveX object, potentially allowing attackers to execute arbitrary code on the victim's system, leading to unauthorized access or malware installation.

File Details:

Hash    : e57fac19e5babb8456c90f86b4c9b3b54e4cc2de3ef478f92d258265e1f758c3
Filename: muestraEXCEL.xls
FileType: MS Excel Spreadsheet 
Size    : 488.00 KB (499712 bytes)

Vulnerability Score: 9.3 High

How does it work?

When a victim opens a specifically designed XLS document with an embedded ActiveX object, the vulnerability activates, allowing malicious code execution. This code empowers attackers to seize control of the victim's system, implant malware, or carry out other malicious activities, depending on their objectives.

Technical Analysis of XLS:

Malware authors utilizing XLS (Excel spreadsheet) files as an initial vector for several reasons. Firstly, XLS files are commonly exchanged via email in business settings, making them appear less suspicious to users. Moreover, Excel supports macros, which can execute malicious code upon opening, granting attackers entry into the target system. 

Let's start by examining static analysis, beginning with the extraction of file strings.

The easiest method to examine file strings involves using a string extraction tool, which extracts both ASCII and Unicode strings from the file and presents them in a GUI format for quick analysis.

Extracted File Strings:

The above mentioned one is a Unicode string containing a suspicious URL along with obfuscated strings.

Initial Vector of XLS Document:

Here's the template of the initial vector, featuring the image stating "This Document is Protected"along with accompanying instructions. It doesn't contain any macro-enabled editing.

Protected Sheets:

In the image below, the XLS sheets are protected by passwords, preventing us from accessing the content of the embedded functions or code. After successfully cracking the passcode, we gain access to view the complete code of the malware. However, it's not a simple task. Let's move forward with alternative analyses.

Manual Extraction of XLS Document:

In the primary template, we observed an image attached to the Excel sheet. During manual extraction, numerous embedded folders were discovered. Within one of these folders, we encountered embedded content in .pdf format, denoted by the .%pdf extension.

Captured HTTP Packet:

While performing dynamic analysis, we captured an HTTP packet response originating from “wheel((.))to” Domain. Let’s analyze the URL.

Sandbox Results:

Conclusion:

In summary, CVE-2017-0199 denotes a severe vulnerability in Microsoft Office, enabling remote execution of arbitrary code. This analysis has delved into the technical aspects of the vulnerability, emphasizing its exploitation via malicious XLS documents utilizing embedded ActiveX control objects. Consequently, this poses a substantial risk to both individual users and organizations.

Happy Hunting !!