Microsoft Office Patch Installer Executables - Insecure Library Loading Allows Code Execution Vulnerability: DLL Hijacking / DLL Side Loading Advisory URL: https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/ ------------------------ ABOUT ------------------------ Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue. This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable. When the patch installer is run, specific DLL file(s) are looked for in the current directory, that is, the directory from where this patch installer is run. If an attacker and / or a malicious user can place a crafted DLL file(s) in the current directory from where this patch installer is run, then it is possible to execute arbitrary code with the privileges of the user (administrator installing Microsoft Excel / Word / other Office applications). This is also applicable where installer is run from a shared folder on another system (\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe). Note 1: these dlls are loaded by - mso2013-kb3127968-fullfile-x86-glb.exe - before Microsoft Executable Installer - msiexec.exe - starts. Note 2: In case of Microsoft Word patch update installation, in addition to installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in current directory, once msiexec.exe runs as part of the installation process, it looks for & loads several DLLs (for example, netmsg.dll) from directories in PATH env variable, leading to code execution if we can place our malicious dll. ------------------------ Tested versions ------------------------ Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1 +++++ # Iranian Exploit DataBase = http://IeDb.Ir [2017-06-29]