CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability – An analysis by Quick Heal Security Labs

Credit to Author: Pavankumar Chaudhari| Date: Thu, 14 Sep 2017 09:28:34 +0000

The recent zero-day vulnerability in .NET Framework vulnerability CVE-2017-8759 enables attackers to perform a Remote Code Execution on the targeted machine. This vulnerability is found to be exploited in the wild through email spam messages loaded with malicious RTF files as an attachment. Microsoft has released a security update on September 12, 2017, to fix this issue. Vulnerable Versions The below versions of Microsoft Frameworks are affected by this vulnerability: • Microsoft .NET Framework 2.0 SP2 • Microsoft .NET Framework 3.5 • Microsoft .NET Framework 3.5.1 • Microsoft .NET Framework 4.5.2 • Microsoft .NET Framework 4.6 • Microsoft .NET Framework 4.6.1 • Microsoft .NET Framework 4.6.2/4.7 • Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7 • Microsoft .NET Framework 4.7 Vulnerability This is a code injection vulnerability in SOAP Moniker which allows an attacker to perform a remote code execution on the targeted machine. After successful exploitation, the attacker can take control of vulnerable system and download and execute programs on the affected system at will. The malicious RTF document, which is an initial attack vector, makes a request to a CNC server and downloads vulnerable SOAP WSDL content. Fig 1. SOAP WSDL Content The vulnerability triggers while parsing the SOAP WSDL content and malicious payloads get downloaded and executed on the victim’s machine. Quick Heal Detections Quick Heal has released the following detections for the vulnerability CVE-2017-8759 Virus Protection Exp.RTF.CVE-2017-8759 IDS/IPS VID-03201 – .NET Framework Remote Code Execution Vulnerability The observed payload in the wild delivered after the exploitation of this vulnerability was FINSPY. The payload is detected by Quick Heal as “Backdoor.FinSpy”. This exploit is already being used in the wild and we expect more malicious campaigns will make use of this vulnerability in the future. Microsoft has patched this vulnerability and updates are available here. We strongly recommend users to apply these updates and also take the latest security updates by Quick Heal. Subject Matter Expert Pavankumar Chaudhari | Quick Heal Security Labs The post CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability – An analysis by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/