Exploiting CVE-2018- 0802 : Microsoft Office Memory Corruption Vulnerability | Lucideus Research

2 min readOct 29, 2018

[Difficulty Level: Medium, CVSS v3 Base Score: 8.8 High]

Introduction

A new Zero-Day Vulnerability has been founded on 8th January 2018 in the Microsoft Office Software which is a Remote Code Execution in which Microsoft Office fails to properly handle objects in Memory.This Vulnerability is stated as Microsoft Office Memory Corruption Vulnerability. The Vulnerability can be exploited as Remote Code Execution by tricking or forcing the victim to open a specially crafted malicious Doc (Word file) in MS Office or WordPad. The name of this Vulnerability is similar from CVE-2018–0797 and CVE-2018- 0812 but is different from them.

The get_byte() function increases the global variable dword_45BD3C and copies its pouned content into AL.In the vulnerable function this went on looping until a null was encountered, which could lead to a stack based overflow when no null was present. In a nutshell, that’s pretty much all there is to this vulnerability.[1]

Vulnerable Function

char get_byte() <-

{

int v0; //ST14_4

v0 = (*(_DWORD *)(dword_45BD3C + 12))++;

return sub_417732(*HGLOBAL *)dowrd_45BD3C, v0);

}

Vulnerable Softwares

Microsoft Word 2016 (64-bit edition) , Microsoft Word 2016 (32-bit edition) , Microsoft Word 2013 Service Pack 1 (64-bit editions), Microsoft Word 2013 Service Pack 1 (32-bit editions), Microsoft Word 2013 RT Service Pack 1 , Microsoft Word 2010 Service Pack 2 (64-bit editions) ,Microsoft Word 2010Service Pack 2 (32-bit editions) , Microsoft Word 2007 SP3 , Microsoft Office Compatibility Pack Service Pack 3 .

Workflow

● A Malicious Word Document is created with the help of Metasploit Framework having our payload.

● The url of the HTA file (.hta) is converted into a Document file (.doc) which will send to the Victim and will trigger the Remote Code Execution Vulnerability.

● Once the Victim will open that Document file , the payload will be delivered and will further give us the Meterpreter Session.

Lab Environment

● Victim’s Machine : Window 7 SP 1 Software Used : Microsoft Office 2013 Professional Plus

● Attacker’s Machine : Kali v17.3

Software Used : Metasploit Framework, RTF_11882_0802 Converter

Security Patch Released By Microsoft : https://portal.msrc.microsoft.com/en-US/security-guidance