9.3
CVSSv2

CVE-2014-4114

Published: 15/10/2014 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote malicious users to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."

Vulnerability Trend

Exploits

## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, ...
# # Full exploit: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/35216rar # #CVE-2014-6352 OLE Remote Code Execution #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com #Advanced Hacking Trainings - trainingaslitsecuritycom #Web - wwwaslitsecuritycom/ #Blog - http ...
#!/usr/bin/env python import os import zipfile import sys ''' Full Exploit: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/35019targz Very quick and ugly [SandWorm CVE-2014-4114] exploit builder Exploit Title: CVE-2014-4114 SandWorm builder Built to run on: Linux/MacOSX Date: 17/10/2014 Exploit Author: Vlad O ...
# !/usr/bin/python # Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm # Author: Mike Czumak (T_v3rn1x) - @SecuritySift # Written: 10/21/2014 # Tested Platform(s): Windows 7 SP1 (w/ exploit script run on Kali Linux) # You are free to reuse this code in part or in whole with the exception of commercial applications # For a demo of this Po ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, ...

Mailing Lists

This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm" Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable ...
This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to b ...

Metasploit Modules

MS14-060 Microsoft Windows OLE Package Manager Code Execution

This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an older version of Windows (such as XP) work best for this because they require little configuration to get going. The PPSX file is what you should send to your target. In detail, the vulnerability has to do with how the Object Packager 2 component (packager.dll) handles an INF file that contains malicious registry changes, which may be leveraged for code execution. First of all, Packager does not load the INF file directly. As an attacker, you can trick it to load your INF anyway by embedding the file path as a remote share in an OLE object. The packager will then treat it as a type of media file, and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will download it with a CopyFileW call, save it in a temp folder, and pass that information for later. The exploit will do this loading process twice: first for a fake gif file that's actually the payload, and the second for the INF file. The packager will also look at each OLE object's XML Presentation Command, specifically the type and cmd property. In the exploit, "verb" media command type is used, and this triggers the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3" is used (again, for the INF file), it will cause the packager to try to find appropriate handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that will install/run the malicious INF file, and finally give us arbitrary code execution.

msf > use exploit/windows/fileformat/ms14_060_sandworm
      msf exploit(ms14_060_sandworm) > show targets
            ...targets...
      msf exploit(ms14_060_sandworm) > set TARGET <target-id>
      msf exploit(ms14_060_sandworm) > show options
            ...show and set options...
      msf exploit(ms14_060_sandworm) > exploit

Github Repositories

Threat INTel Reports Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to) Useful as a reference when you emulate threat actors on a daily basis Please create an issue if I'm missing a relevant Report Note: If you are looking for every type of publicly available documents and notes related to APTs have a look at APTnotes a

Threat INTel Reports Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to) Useful as a reference when you emulate threat actors on a daily basis Please create an issue if I'm missing a relevant Report Note: If you are looking for every type of publicly available documents and notes related to APTs have a look at APTnotes a

PoC Collection Index CVE-2014-4114 -- PowerPoint RCE CVE-2014-6271 -- Shell Shock CVE-2014-6332 -- VBScript RCE in IE CVE-2015-1328 -- Ubuntu local root exploit

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

Recent Articles

Security Firms Find Thin Lines Connecting NotPetya to Ukraine Power Grid Attacks
BleepingComputer • Catalin Cimpanu • 01 Jul 2017

On Friday, three cyber-security firms have come forward with reports or statements that link the NotPetya ransomware outbreak to a cyber-espionage group known for a large number of past cyber-attacks, such as the one on Ukraine's power grid in December 2015.
The group behind all these attacks has been active since 2007 and is tracked under different names, such as Sandworm, BlackEnergy, and most recently as TeleBots, while other lesser known names include Electrum, TEMP.Noble, and Quedagh....

Copy paste slacker hackers pop corp locks in ode to stolen code
The Register • Darren Pauli • 08 Jul 2016

Github, your ticket to world domination

The ultimate copy paste slacker hacker group has busted security controls in some 2500 corporates and government agencies using nothing but stolen code.
The targets focus on those affiliated with military and political assignments around Southeast Asia and the contentious South China Sea, and may have been compromised in a little over six months.
The group dubbed Patchwork for its use of multiple proof-of-concept and tools is detailed by researchers with Israeli deceptive infosec fir...

APT Group ‘Patchwork’ Cuts-and-Pastes a Potent Attack
Threatpost • Tom Spring • 07 Jul 2016

An advanced persistent threat tied to Southeast Asia and the South China Sea is targeting governments and entities around the world including the U.S. The attacks are unique, according to security experts, because the perpetrators are relying nearly 100 percent on computer code copied-and-pasted from sources on the web.
Cymmetria Research, which discovered the APT and today released a report on the attacks, calls those responsible for the attacks Patchwork because the group has piece-meale...

BlackEnergy trojan strikes again: Attacks Ukrainian electric power industry (Un)related events? Electricity distribution companies under attack Conclusion
welivesecurity • Robert Lipovsky Anton Cherepanov • 04 Jan 2016

On December 23rd, 2015, around half of the homes in the Ivano-Frankivsk region in Ukraine (population around 1.4 million) were left without electricity for a few hours. According to the Ukrainian news media outlet TSN, the cause of the power outage was a “hacker attack” utilizing a “virus”.
Looking at ESET’s own telemetry, we have discovered that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same t...

The ULTIMATE CRUELTY: Sandworm uses PowerPoint against Swiss bank customers
The Register • John Leyden • 30 Oct 2014

From espionage to cybercrime

The Sandworm vulnerability is being actively abused to attack Swiss banking customers, Danish security consultancy CSIS has warned.
CSIS reports that the attacks are pushing the latest version of the Dyre banking trojan.
Attacks arrive as spam emails under the guise of information about unpaid invoices. In reality the PowerPoint attachment to these messages is booby-trapped to exploit the Sandworm vulnerability and infect insecure Windows PCs.
Sandworm first reared its ugly hea...

Dyreza Banker Trojan Attackers Exploiting CVE-2014-4114 Windows Flaw
Threatpost • Dennis Fisher • 29 Oct 2014

The Dyreza Trojan is nothing if not ambitious. The malware has been spotted doing a variety of interesting things in the last year, including bypassing SSL and targeting users of specific business apps. Now the Trojan is exploiting the recently disclosed CVE-2014-4114 vulnerability in Windows that was first used by the Sandworm attackers.
Researchers at CSIS in Denmark have identified a new spam campaign carrying the Dyreza Trojan that is targeting customers of various Swiss banks. Dyreza ...

BlackEnergy Malware Used in Attacks Against Industrial Control Systems
Threatpost • Michael Mimoso • 29 Oct 2014

Industrial control system operations running human-machine interface software from a handful of vendors are being targeted by a hacking campaign making use of the BlackEnergy malware.
The United States Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory on Tuesday warning about malware found at a number of companies running Internet-connected HMI software. HMI software provides a visualization of industrial control and manufacturing processes. These int...

DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
The Register • John Leyden • 22 Oct 2014

Might put out patch in update, might chuck it out sooner

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.
An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".
The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the boob...

Attackers Exploiting Windows OLE Zero Day Vulnerability
Threatpost • Dennis Fisher • 22 Oct 2014

Attackers are using a zero day vulnerability in nearly all supported versions of Windows in a series of targeted attacks. The flaw is in the OLE technology in Windows and can be used for remote code execution is a targeted user opens a rigged Office file.
Microsoft is warning customers that there is no patch available for this new vulnerability. The company has issued a FixIt tool that mitigates the known attacks on the vulnerability, but is still looking into whether a full patch will be...

Two Patched Zero Days Targeting Windows Kernel
Threatpost • Chris Brook • 15 Oct 2014

After they were patched in yesterday’s round of Patch Tuesday security bulletins, security firms have begun to peel back the layers on two zero-day vulnerabilities that are being used in limited, targeted attacks against Microsoft’s Windows Kernel.
According to FireEye, one of the firms that conducted research on both of the vulnerabilities, the flaws can lead to elevation of privilege if left unpatched. Both vulnerabilities are being used in attacks against some major corporations, t...

Microsoft Security Updates October 2014
Securelist • Kurt Baumgartner • 14 Oct 2014

Update (2014.10.15) – administrative notes for preparation… Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.
*******
This morning was possibly one of the most information rich in the history of Microsoft’s patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog...

CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns
welivesecurity • Robert Lipovsky • 14 Oct 2014

At the Virus Bulletin conference that took place in Seattle last month, we talked about how the BlackEnergy trojan has evolved into a malicious tool used for espionage in Ukraine and Poland.
In our last post on the subject, we mentioned the following malware spreading vectors used in BlackEnergy campaigns this year:
In this post we provide additional information on the latter: how a specially crafted PowerPoint slideshow file (.PPSX) led to the execution of a BlackEnergy dropper.

Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
The Register • Simon Sharwood, APAC Editor • 14 Oct 2014

Fix imminent from Microsoft for Vista, Server 2008, other stuff

Russians hackers have exploited a zero-day vulnerability in Microsoft Windows to hijack and snoop on PCs and servers used by NATO and the European Union, says security biz iSight.
The software flaw is present in desktop and server flavors of the Redmond operating system, from Vista and Server 2008 to current versions. No patch for the hole exists yet, but is expected to be fixed in today's Patch Tuesday update from Microsoft.
iSight has dubbed the vulnerability (CVE-2014-4114) “San...

Sandworm APT Team Found Using Windows Zero Day Vulnerability
Threatpost • Dennis Fisher • 14 Oct 2014

UPDATE–A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe. The vulnerability, which will be patched today by Microsoft, is trivially exploitable and researchers say that the team behind the attacks has been using it since August to deliver the Black Energy malware.
Researchers at iSIGHT Partners said that the team, which ...