Note that, even if user interaction is required, it can be minimal. According to Microsoft, the Preview Pane is also an attack vector, which means the user doesn’t need to open the file. Loading the RTF document in the Preview Pane should also trigger the vulnerability.
Microsoft CVE-2023-21707: Microsoft Exchange Server Remote Code Execution Vulnerability
- Personally observed in an environment
The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
In order to authenticate to the AMQP service, a user would need to already have admin access to add a RabbitMQ user, or have recovered the credentials to the
orion account that SolarWinds sets up automatically. For that reason, I’ve marked this as “Authenticated” and “Requires elevated access” because the
orion account is not any ordinary user.
The malicious user can exploit the victim’s PC remotely.
For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
In this case, the malicious
excel file create a very dangerous shell execution file, and after the victim will execute it, his PC maybe will never wake up normally, it depends on the case, which is very nasty.
STATUS: HIGH Vulnerability
Sub Check_your_salaries() CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://pornhub.com/" End Sub
Sub cmd() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "cmd.exe" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub
Proof and Exploit:
Proof and Exploit, danger example:
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-exploited-vulnerability-catalog)
Is there more information about what exactly the vulnerable component in Excel is? I can’t find much information about this but I can’t image it is simply the shell function in VBA, that’s been a vector for some time. Any additional info would be appreciated. Thanks for sharing!