Microsoft Office Patch Installer Executables - Insecure Library Loading
Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/

------------------------
ABOUT
------------------------

Microsoft Office Patch installer executables are found to be vulnerable to
DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013
SP1. Patch installer for Microsoft Word was also tested and confirmed to
exhibit the same behavior. Other patch installers may also be vulnerable.

When the patch installer is run, specific DLL file(s) are looked for in the
current directory, that is, the directory from where this patch installer
is run. If an attacker and / or a malicious user can place a crafted DLL
file(s) in the current directory from where this patch installer is run,
then it is possible to execute arbitrary code with the privileges of the
user (administrator installing Microsoft Excel / Word / other Office
applications).

This is also applicable where installer is run from a shared folder on
another system
(\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe).

Note 1: these dlls are loaded by - mso2013-kb3127968-fullfile-x86-glb.exe -
before Microsoft Executable Installer - msiexec.exe - starts.

Note 2: In case of Microsoft Word patch update installation, in addition to
installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in
current directory, once msiexec.exe runs as part of the installation
process, it looks for & loads several DLLs (for example, netmsg.dll) from
directories in PATH env variable, leading to code execution if we can place
our malicious dll.

------------------------
Tested versions
------------------------
Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1

+++++