ID CVE-2014-6352
Summary Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_7:-:sp1
    cpe:2.3:o:microsoft:windows_7:-:sp1
  • cpe:2.3:o:microsoft:windows_8
    cpe:2.3:o:microsoft:windows_8
  • cpe:2.3:o:microsoft:windows_8.1
    cpe:2.3:o:microsoft:windows_8.1
  • Microsoft Windows RT Gold
    cpe:2.3:o:microsoft:windows_rt:-:gold
  • Microsoft Windows RT 8.1
    cpe:2.3:o:microsoft:windows_rt_8.1
  • Microsoft Windows Server 2008 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2
  • Microsoft Windows Server 2008 R2 Service Pack 1
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1
  • Microsoft Windows Server 2012 Gold
    cpe:2.3:o:microsoft:windows_server_2012:-:gold
  • cpe:2.3:o:microsoft:windows_server_2012:r2
    cpe:2.3:o:microsoft:windows_server_2012:r2
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
CVSS
Base: 9.3 (as of 08-10-2015 - 02:09)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    id EDB-ID:35235
    last seen 2016-02-04
    modified 2014-11-14
    published 2014-11-14
    reporter metasploit
    source https://www.exploit-db.com/download/35235/
    title MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
  • description MS14-064 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    id EDB-ID:35236
    last seen 2016-02-04
    modified 2014-11-14
    published 2014-11-14
    reporter metasploit
    source https://www.exploit-db.com/download/35236/
    title MS14-064 Microsoft Windows OLE Package Manager Code Execution
  • description Microsoft Office 2007 and 2010 - OLE Arbitrary Command Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    id EDB-ID:35216
    last seen 2016-02-04
    modified 2014-11-12
    published 2014-11-12
    reporter Abhishek Lyall
    source https://www.exploit-db.com/download/35216/
    title Microsoft Office 2007 and 2010 - OLE Arbitrary Command Execution
  • description Windows OLE - Remote Code Execution "Sandworm" Exploit (MS14-060). CVE-2014-4114,CVE-2014-6352. Remote exploit for windows platform
    file exploits/windows/remote/35055.py
    id EDB-ID:35055
    last seen 2016-02-04
    modified 2014-10-25
    platform windows
    port
    published 2014-10-25
    reporter Mike Czumak
    source https://www.exploit-db.com/download/35055/
    title Windows OLE - Remote Code Execution "Sandworm" Exploit MS14-060
    type remote
  • description MS14-060 Microsoft Windows OLE Package Manager Code Execution. CVE-2014-4114,CVE-2014-6352. Local exploit for win32 platform
    file exploits/windows_x86/local/35020.rb
    id EDB-ID:35020
    last seen 2016-02-04
    modified 2014-10-20
    platform windows_x86
    port
    published 2014-10-20
    reporter metasploit
    source https://www.exploit-db.com/download/35020/
    title MS14-060 Microsoft Windows OLE Package Manager Code Execution
    type local
  • description Windows OLE Package Manager SandWorm Exploit. CVE-2014-4114,CVE-2014-6352. Local exploit for windows platform
    file exploits/windows/local/35019.py
    id EDB-ID:35019
    last seen 2016-02-04
    modified 2014-10-20
    platform windows
    port
    published 2014-10-20
    reporter Vlad Ovtchinikov
    source https://www.exploit-db.com/download/35019/
    title Windows OLE Package Manager SandWorm Exploit
    type local
metasploit via4
  • description This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass. The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
    id MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS14_064_PACKAGER_RUN_AS_ADMIN
    last seen 2019-01-11
    modified 2017-07-24
    published 2014-11-12
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb
    title MS14-064 Microsoft Windows OLE Package Manager Code Execution
  • description This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.
    id MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS14_064_PACKAGER_PYTHON
    last seen 2019-03-13
    modified 2017-07-24
    published 2014-11-13
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms14_064_packager_python.rb
    title MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python
msbulletin via4
bulletin_id MS14-064
bulletin_url
date 2014-11-11T00:00:00
impact Remote Code Execution
knowledgebase_id 3011443
knowledgebase_url
severity Critical
title Vulnerabilities in Windows OLE Could Allow Remote Code Execution
nessus via4
  • NASL family Windows
    NASL id SMB_KB3010060.NASL
    description The remote host is missing one of the workarounds referenced in Microsoft Security Advisory 3010060. The version of Microsoft Office installed on the remote host is affected by a remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 78627
    published 2014-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78627
    title MS KB3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (deprecated)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS14-064.NASL
    description The remote Windows host is affected by multiple vulnerabilities : - A remote code execution vulnerability due to Internet Explorer improperly handling access to objects in memory. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website in Internet Explorer, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6332) - A remote code execution vulnerability due to a flaw in the OLE package manager. A remote attacker can exploit this vulnerability by convincing a user to open an Office file containing specially crafted OLE objects, resulting in execution of arbitrary code in the context of the current user. (CVE-2014-6352)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 79125
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79125
    title MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
packetstorm via4
refmap via4
bid 70690
confirm
misc http://twitter.com/ohjeongwook/statuses/524795124270653440
ms MS14-064
sectrack 1031097
secunia 61803
xf ms-win-ole-cve20146352-code-exec(97714)
the hacker news via4
id THN:3CCB49974C881C181739745A6694FB0A
last seen 2018-01-27
modified 2014-10-22
published 2014-10-22
reporter Mohit Kumar
source https://thehackernews.com/2014/10/microsoft-powerpoint-vulnerable-to-zero.html
title Microsoft PowerPoint Vulnerable to Zero-Day Attack
Last major update 08-10-2015 - 12:32
Published 22-10-2014 - 10:55
Last modified 12-10-2018 - 18:07
Back to Top