Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43440
  • Total Topics: 16532
  • Online today: 3040
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 3037
Total: 3040









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Pez
« on: 24. April 2012., 08:59:57 »


CVE-2012-0158 Exploit in the Wild (MS12-027)

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …


Larger picture

Malicious RTF file

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%\Local Settings\Temp\(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%\Local Settings\Temp\(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails. We also strongly recommend installing the latest fix, from April’s Patch Tuesday. (Refer to the Microsoft Bulletin for more information: http://technet.microsoft.com/en-us/security/bulletin/ms12-027 )

McAfee detects these malicious document files as:

•Exploit-CVE2012-0158: Detection for MS Office files such as MS Word and MS Excel
•Exploit-CVE2012-0158!rtf : RTF files containing vulnerable OLE containers


Orginal article: Monday, April 23, 2012 at 11:56am by Shinsuke Honjo

CVE-2012-0158

Vulnerability Summary for CVE-2012-0158  

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023