9.3
CVSSv2

CVE-2018-0802

Published: 10/01/2018 Updated: 16/03/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 833
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftOffice2007, 2010, 2013, 2016
MicrosoftOffice Compatibility Pack-
MicrosoftWord2007, 2010, 2013, 2016

Github Repositories

CVE-2018-0802 CVE-2018-08022: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2018-0802 MITRE CVE-2018-0802: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2018-0802 0patch exploitation and patch video: wwwyoutubecom/watch?v=XU-U4K270Z4 Qihoo 360 blog post wwwfreebufcom/vuls/159789html Checkpoint blog (brute-force ASLR by

CVE-2018-0802_POC usage: cve-2018-0802_pocpy [-h] -e EXECUTABLE -o OUTPUT The rtf sample exploit the vulnerability to execute the calculator

CVE

CVE-EXPLOIT-DB

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

Introduction rtfraptor is a simple tool to aid analysis of malicious RTF files by extracting OLEv1 objects It was inspired by a blog post by Denis O'Brien (link below) It works by running Word and intercepting calls to OLEv1 functions This allows raw OLE objects to be dumped from memory for further analysis The tool is designed to be run on Windows This is useful f

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 webSettingsxml 获取 NTLM SSP hash macro 工具 生成、混淆 Shellntel/luckystrike - A PowerShell base

MicroSoft Office RCEs A collection of MicroSoft Office vulnerabilities that could end up remote command execution CVE-2012-0158 CVE-2015-1641(customXML type confusion) CVE-2016-7193(dfrxst) CVE-2017-0199 CVE-2017-8570 CVE-2017-8759(NET Framework) CVE-2017-11182 CVE-2017-11826(EQNEDT32EXE) CVE-2018-0802(EQNEDT32EXE again) CVE-2018-0797(RTF UAF) CVE-2018-8597(Excel) CVE-2018

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

TODO: Fix -p flag -c flag is deprecated CVE Watcher queries the National Vulnerability Database (NVD) for CVEs related to specific vendor and/or product Example(s): python CVEWatcherpy -v Microsoft -s 0 -S 2015 -e 0 -E 2015 python CVEWatcherpy -v Adobe -s 0 -S 2015 -e 0 -E 2015 python CVEWatcherpy -v Google -p chrome -s 4 -S 2014 -e 11 -E 2014 Example Output: Microsoft,78,H

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

IT threat evolution Q1 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 23 May 2019

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q1 2019 is remembered mainly for mobile financial threats.
First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartpho...

Spam and phishing in Q1 2019
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 15 May 2019

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not
The Register • Gareth Corfield • 16 Apr 2019

Over two-thirds of attacks Russian biz spied targeted venerable Microsoft suite

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office.
"In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.
The outfit also reported a switch away from ne...

Cobalt Group Pushes Revamped ThreadKit Malware
Threatpost • Tom Spring • 11 Dec 2018

Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.
In a report issued by security firm Fidelis on Tuesday (PDF), researchers...

IT threat evolution Q3 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Oleg Kupreev Evgeny Lopatin Alexander Liskin • 12 Nov 2018

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
Perhaps the biggest news of the reporting period was the Trojan-Banker.AndroidOS.Asacub epidemic. It peaked in September when more than 250,000 unique users were attacked – and that only includes statistics for those with Kaspersky Lab’s mobile products installed on their devices.

Number of...

White-Hats Go Rogue, Attack Financial Institutions
BleepingComputer • Ionut Ilascu • 05 Sep 2018

Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.
The group is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.
According to a report shared with BleepingComputer by international cybersecurity company Group-IB, the newest financially-motivated group on the market has...

Despite Ringleader’s Arrest, Cobalt Group Still Active
Threatpost • Tara Seals • 28 May 2018

Evidence has surfaced that the Cobalt Group – the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe – is continuing to operate, despite the arrest of its accused ringleader in March.
The Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new re...

IT threat evolution Q1 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 14 May 2018

According to KSN:
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.
It wasn’t a drive-by-download case, since the success of the attack larg...

APT37 (Reaper): The Overlooked North Korean Actor
Fireeye Threat Research • by FireEye • 20 Feb 2018

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).
Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North...

Don't just grab your CPU bug updates – there's a nasty hole in Office, too
The Register • Shaun Nichols in San Francisco • 09 Jan 2018

It's 2018 and a Word doc can still pwn your Windows computer

Patch Tuesday In case you've been hiding under a rock for the entirety of this new year (and we don't blame you if you have) there are a handful of major security flaws that have been dominating the news, and feature prominently in this month's Patch Tuesday update load.
First, let's look at the latest developments in the Meltdown/Spectre saga:
Nvidia has got around to kicking out graphics driver updates that address the Spectre flaws present in its code – for example, here are som...

Microsoft January Patch Tuesday Update Fixes 16 Critical Bugs
Threatpost • Tom Spring • 09 Jan 2018

Thanks to Meltdown and Spectre, January has already been an extremely busy month of patching for Microsoft. Today Microsoft tackled dozens more bugs, part of its regular Patch Tuesday release covering Microsoft Edge, Windows, Office, ASP.NET and the macOS version of Office.
Sixteen of Microsoft’s updates tackled critical vulnerabilities, 38 are rated important and one low. A total of 20, could potentially lead to remote code execution.
“Microsoft started Patch Tuesday a little ea...

Microsoft January Patch Tuesday Fixes 56 Security Issues, Including a Zero-Day
BleepingComputer • Catalin Cimpanu • 09 Jan 2018

Earlier today, Microsoft published the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, and a defense-in-depth update for Office applications.
This month, things were a little messy. On January 3, Microsoft released an emergency out-of-band security update with fixes for the now infamous Meltdown and Spectre vulnerabilities. That emergency update was suppo...