Microsoft Bulletin: detection and protection CVE-2017-0005 mention the right vulnerability-vulnerability warning-the black bar safety net

!

2017 3 October 14, Microsoft released a security Bulletin MS17-013, designed to address the CVE-2017-0005 mention the right vulnerability, Qualys vulnerability Labs Director, Amol Sarwate, said:“CVE-2017-0005 is a zero-day vulnerability issue currently being the abuse, the use of Silverlight as the attack vector of the exploit kit can quickly the vulnerability is introduced.”

In this article, we will detail the CVE-2017-0005 exploits the technical details, and for the 2016 year 8 months release of Win10 week in an updated version of a vulnerability in the defense of the effect is evaluated, for example, Supervisor Mode Execution Prevention（SMEP and virtualization-based security VBS, and in addition we also show the Windows Defender Advanced Treat Protection advanced threat protection against elevation of Privilege（EoP）vulnerability detection and protection.

Zero-day privilege exploit Zero-day elevation-of-privilege exploit）

In view of their code, we found that this zero-day privilege vulnerability specifically for running Windows 7 and Windows 8 computer. Attack packets in four phases:

! [](/Article/UploadPic/2017-3/201732911576723. png)

Stage 1 and Stage 2 task: decrypt and API analysis

In order to protect the malicious code utilized, the attacker uses the AES-256 algorithm to encrypt the initial stage of the PE file. To load the next stage of the code, it must be password as a parameter passed to the main input function. Using CryptHashData API, the password used to decrypt the next stage of loading the program key.

Stage 2 as the execution of the API parsing of the intermediate stage. At this stage the API of the resolver is similar to the shellcode or position-independent code works.

The following code shows the GetProcAddress API part of the solution, The code seems to obscure the follow-up of the payload and preventing the associated analysis.

! [](/Article/UploadPic/2017-3/201732911576752. png)

Stage 3: find the right attack platform

In Stage 3, the attack packets will perform the environmental inspections, in particular, is to identify theoperating systemplatform and version number, the attacker this is done to ensure that exploit code is in the built-in Mitigation is less and vulnerable running on the system, currently only Windows 7 and Windows 8 in line with the corresponding attack conditions.

! [](/Article/UploadPic/2017-3/201732911576709. png)

By exploit code analysis, we have identified these codes only on specific Windows System Version running on the currently complies with the Code of the running version includes Windows 2000 to Windows 8 between a Windows operating system, but Windows 8.1 and Windows 10, except, in addition, in these codes the system configuration of the inspection routine carried out after the inspection, we found these code specifically for 64-bit Systems. The next stage of the payload will be through DLL the reflective load.

Stage 4: The use of CVE-2017-0005 vulnerability began to attack

In the attack environment after the inspection, the attacker’s code starts the actual use of a Windows kernel Vulnerability CVE-2017-0005, implementation of any of the memory corruption and the privileged code execution.

PALETTE. pfnGetNearestFromPalentry begin to mutate, through the use of the PALETTE. pfnGetNearestFromPalentry function in the corrupted pointer, the kernel space code execution. Microsoft Security researchers have been closely following this use of the technology, the purpose of this technique is in the kernel execution code, which consists of a malformed PALETTE object provides, we turned in for the Duqu Trojan analysis also found a similar attack techniques.

The figure below shows the PALETTE function pointers of the corrupt state:

! [](/Article/UploadPic/2017-3/201732911576150. png)

The malicious code would call the native API NtGdiEngBitBlt to trigger using the damage handler XLATEOBJ_iXlate function call, so that the control stream to the previously allocated shellcode is. We by comparison, Duqu 2. 0 Trojan the exploit code is using Gdi32. dll GetNearestPaletteIndex calls to perform the transfer to the damage to the callback handler. This difference clearly shows that the two vulnerabilities are independent, although their code, and similar.

Exploit the dynamic build of the system call code snippet to call native Windows API.

! [](/Article/UploadPic/2017-3/201732911576834. png)

In the execution of shellcode during the call as shown in the stack:

! [](/Article/UploadPic/2017-3/201732911576399. png)

Once the shellcode starts executing, the exploit will use a common token exchange technology to obtain the current process of the SYSTEM providing the right to privileges, we are often in a similar EoP vulnerability observed in this technology:

! [](/Article/UploadPic/2017-3/201732911577764. png)

Detection and mitigation solutions

As described above, this zero-day attack is not targeted like Windows 10 this latest system. If we are on Windows 10 such a system to simulate the Code of the attack environment, the vulnerability simply cannot run.

Mitigate vulnerabilities there are two solutions, one is the development of a mitigation measures to the maximum extent to reduce the attack effect, another is to develop a method to eliminate all vulnerabilities of the technical, fundamentally prevented.

We first look at the first scenario, the prevention of pfnGetNearestFromPalentry abuse, Microsoft Security researchers have for the PALETTE. pfnGetNearestFromPalentry use for a period of time tracking. 2016 8 September, with Windows 10 update release, Microsoft released to prevent the abuse of pfnGetNearestFromPalentry the vulnerability of prevention programmes. When you call the PALETTE function pointers, the prevention program will check the PALETTE function pointers of effectiveness, to ensure that only calls to a predefined set of functions, and to prevent the structure of any abuse.

[1] [2] next