Think you have a false positive on this rule?

Sid 1-21310

Message

OS-WINDOWS Microsoft product fputlsat.dll dll-load exploit attempt

Summary

Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability."

Impact

CVSS base score 9.3 CVSS impact score 10.0 CVSS exploitability score 8.6 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE

CVE-2011-0029:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2011-0107:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2011-1980:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2011-0029: Untrusted search path vulnerability in the client in Microsoft Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .rdp file, aka "Remote Desktop Insecure Library Loading Vulnerability."

CVE-2011-0107: Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability."

CVE-2011-1980: Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."

Affected systems

  • microsoft remotedesktopconnection_client 5.2
  • microsoft remotedesktopconnection_client 6.0
  • microsoft remotedesktopconnection_client 6.1
  • microsoft remotedesktopconnection_client 7.0
  • microsoft windows2003server *
  • microsoft windows_7 -
  • microsoft windowsserver2003 *
  • microsoft windowsserver2008 *
  • microsoft windowsserver2008 -
  • microsoft windowsserver2008 r2
  • microsoft windows_vista *
  • microsoft windows_xp *
  • microsoft windows_xp -
  • microsoft office 2003
  • microsoft office 2007
  • microsoft office xp

Ease of attack

CVE-2011-0029:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2011-0107:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2011-1980:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • technet.microsoft.com/en-us/security/bulletin/MS11-023
  • technet.microsoft.com/en-us/security/bulletin/MS11-073
  • technet.microsoft.com/en-us/security/bulletin/ms11-017