Think you have a false positive on this rule?

Sid 1-18494

Message

OS-WINDOWS Microsoft product .dll dll-load exploit attempt

Summary

Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability."

Impact

CVSS base score 9.3 CVSS impact score 10.0 CVSS exploitability score 8.6 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE

CVE-2011-0029:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2011-0107:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2011-1980:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2014-1756:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2015-1758:

CVSS base score 6.9

CVSS impact score 10.0

CVSS exploitability score 3.4

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2011-0029: Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability."

CVE-2011-0107: Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability."

CVE-2011-1980: Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."

CVE-2014-1756: Untrusted search path vulnerability in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013 Gold, SP1, RT, and RT SP1, when the Simplified Chinese Proofing Tool is enabled, allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Microsoft Office Chinese Grammar Checking Vulnerability."

CVE-2015-1758: Untrusted search path vulnerability in the LoadLibrary function in the kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allows local users to gain privileges via a Trojan horse DLL in an unspecified directory, aka "Windows LoadLibrary EoP Vulnerability."

Affected systems

  • microsoft remotedesktopconnection_client 5.2
  • microsoft remotedesktopconnection_client 6.0
  • microsoft remotedesktopconnection_client 6.1
  • microsoft remotedesktopconnection_client 7.0
  • microsoft windows2003server *
  • microsoft windows_7 -
  • microsoft windowsserver2003 *
  • microsoft windowsserver2008 *
  • microsoft windowsserver2008 -
  • microsoft windowsserver2008 r2
  • microsoft windows_vista *
  • microsoft windows_xp *
  • microsoft windows_xp -
  • microsoft office 2003
  • microsoft office 2007
  • microsoft office xp
  • microsoft office 2010
  • microsoft office 2013
  • microsoft windows_7 *
  • microsoft windows_8 -
  • microsoft windows_rt -
  • microsoft windowsserver2012 -

Ease of attack

CVE-2011-0029:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2011-0107:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2011-1980:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2014-1756:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2015-1758:

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • technet.microsoft.com/en-us/security/bulletin/ms11-017
  • technet.microsoft.com/en-us/security/bulletin/MS11-023
  • technet.microsoft.com/en-us/security/bulletin/MS11-073
  • technet.microsoft.com/en-us/security/bulletin/ms15-059
  • technet.microsoft.com/en-us/security/bulletin/MS15-063
  • technet.microsoft.com/en-us/security/bulletin/ms14-023