June 15, 2017 Karn Ganeshen

Microsoft Office Patch Installers – Insecure Library loading allow code execution

Microsoft Office Patch Installer Executables – Insecure Library Loading Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading


Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable.

In this writeup, I will document about MS Excel 2013 patch update KB3127968.

When the patch installer is run, specific DLL file(s) are looked for in the current directory, that is, the directory from where this patch installer is run. Some of the DLLs that are looked for and loaded are:

If an attacker and / or a malicious user can place a crafted DLL file(s) in the current directory from where this patch installer is run, then it is possible to execute arbitrary code with the privileges of the user (administrator installing Microsoft Excel / Word / other Office applications).

This is also applicable where installer is run from a shared folder on another system (\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe).

Note 1: these dlls are loaded by – mso2013-kb3127968-fullfile-x86-glb.exe – before Microsoft Executable Installer – msiexec.exe – starts.

Note 2: In case of Microsoft Word patch update installation, in addition to installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in current directory, once msiexec.exe runs as part of the installation process, it looks for & loads several DLLs (for example, netmsg.dll) from directories in PATH env variable, leading to code execution if we can place our malicious dll.

Tested versions

Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1

Steps to reproduce

In case of MS Excel & Word patch update via respective installers:

In case of MS Word patch update, additional DLL loading via msiexec.exe:



Tagged: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *