what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Office Patch Installer DLL Hijacking

Microsoft Office Patch Installer DLL Hijacking
Posted Jun 30, 2017
Authored by Karn Ganeshen

Microsoft Office Patch Installer suffers from dll hijacking vulnerabilities.

tags | advisory, vulnerability
systems | windows
SHA-256 | 9dd76fa20f90231d58e4b700d50c6a63b8428b18f97fc2b8c466a1268ea2c8bc

Microsoft Office Patch Installer DLL Hijacking

Change Mirror Download
Microsoft Office Patch Installer Executables - Insecure Library Loading
Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/

------------------------
ABOUT
------------------------

Microsoft Office Patch installer executables are found to be vulnerable to
DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013
SP1. Patch installer for Microsoft Word was also tested and confirmed to
exhibit the same behavior. Other patch installers may also be vulnerable.

When the patch installer is run, specific DLL file(s) are looked for in the
current directory, that is, the directory from where this patch installer
is run. If an attacker and / or a malicious user can place a crafted DLL
file(s) in the current directory from where this patch installer is run,
then it is possible to execute arbitrary code with the privileges of the
user (administrator installing Microsoft Excel / Word / other Office
applications).

This is also applicable where installer is run from a shared folder on
another system
(\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe).

Note 1: these dlls are loaded by - mso2013-kb3127968-fullfile-x86-glb.exe -
before Microsoft Executable Installer - msiexec.exe - starts.

Note 2: In case of Microsoft Word patch update installation, in addition to
installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in
current directory, once msiexec.exe runs as part of the installation
process, it looks for & loads several DLLs (for example, netmsg.dll) from
directories in PATH env variable, leading to code execution if we can place
our malicious dll.

------------------------
Tested versions
------------------------
Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1

+++++


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close