Spread banking Trojan the Office 0day Vulnerability(CVE-2017-0199)technical analysis-vulnerability warning-the black bar safety net

Vulnerability overview
Microsoft in 4 months of routine patch of 4 on 12, the A Office remote command execution vulnerability, CVE-2017-0199 for the repair, but in fact in the patch before the release there has been more use of this vulnerability in the wild is found, which contains the distribution of banking malware case. 360 days eye the lab also obtained before the relevant exploit sample, the analysis recognized as one of China continue APT attack groups in the targeted attack, which is known to other security vendors published the different sources of attacks, so this vulnerability is patched already in the ground spread to a very large range. As the vulnerability related to the technical details of the disclosure, since the vulnerability affects a large number of Office version, use this vulnerability to attack is likely to start flooding, the need to pay close attention.
The vulnerability is using the OFFICE OLE object linking technology, the package of the malicious link object embedded in a document, the OFFICE calls the URL Moniker（COM objects will be malicious links pointing to the HTA file is downloaded to the Local, the URL Moniker by identifying the response header content-type field information 1 Last call Rwanda. exe will be downloaded to the HTA file to perform together.
! [](/Article/UploadPic/2017-4/201741510306818. png? www. myhack58. com)
Figure 1
To exploit this vulnerability usually attack scenarios, the user receives an contain malicious Office files is not limited to the RTF format of Word files, may for PPT class other Office document, click try open a file from an external website to download specific malicious HTA program execution, allowing an attacker to obtain control.
Vulnerability details
Here based on the Hash of the 5ebfd13250dd0408e3de594e419f9e01 the sample file on the vulnerability of the use of the details to do further in-depth analysis.
5ebfd13250dd0408e3de594e419f9e01 is RTF file embedded an OLE object type is set to OfficeDOC, the embedded form is wrapped into a link type OLE object, The type of ole2link（OLE object, the data stream offset 4 of the position, if it is 2 for the package type, if it is 1, then the link type. Link the OLE object itself is not included in the document itself, but is located outside of the document, wherein the link object can be in the machine, can also be on a remote server, which is a COM component of a feature, because the OLE itself is a COM component part.
The following figure is 5ebfd13250dd0408e3de594e419f9e01 in the structure of the object information
! [](/Article/UploadPic/2017-4/201741510306572. png? www. myhack58. com)
Figure 2
URL Monkiler is a COM object, in RTF file, which is the CLSID of the storage sequence and the actual is partially reversed:
E0 C9 EA 79 F9 BA CE 11 8C82-00AA004BA90B red. Office by the URL Moniker to send a remote request, download http://46.102.152.129/template.doc MD5: 3c01c4d68ddcf1e4ecd1fa1ca3024c54, the downloaded file is an RTF file, which contains a VBS script as shown in Figure 3）。 After the URL Moniker adopted content-type recognition for HTA, the last call Rwanda. exe loaded. mstha. exe in the match to the script after the data, the implementation of which contains the VBS shown in Figure 4, You can see this VBS to do some simple confusion.
! [](/Article/UploadPic/2017-4/201741510306262. png? www. myhack58. com)
Figure 3
! [](/Article/UploadPic/2017-4/201741510306898. png? www. myhack58. com)
Figure 4
VBS script function:
1. Executing powershell command to end the winword. exe process
2. Download http://hyoeyeep. ws/sp. exe file, write%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\winword.exe so achieve since the start of the
3. 下载 http://hyoeyeep.ws/sp.doc 写 入 %temp%\document.doc
4. Empty registry keys in Word versions 15.0 and 16.0 Resiliency sub-key with the key value. So winword can be a normal start
5. Run%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\winword.exe the.
6. 调用 winword 打开 document.doc the. This is a normal file, the purpose of course is caused by the normal processing of the file of the artifact
sp.exe（a9e0d7e94f555dc3a2db5e59e92ed778 belonging to the Dridex family, is the online banking category of the back door. Here is not segmentation analysis. The following figure is a VirusTotal scan results:
! [](/Article/UploadPic/2017-4/201741510306279. png? www. myhack58. com)
Figure 5
Rwanda implementation template. doc the process of also worth mentioning: the
Because download back template. doc File format is RTF, which is embedded vbscript, Rwanda will search for the file data, the matching executable script. Rwanda first loads the mshtml. dll and call RunHtmlApplication this export function, and then in CCHtmScriptParseCtx::Execute()in the match script file, the Tag, Get the script object, as shown in Figure 6. 0x1fa2120 for a data object, 0x68C173A0 is the class object of the class function, as shown in Figure 7. We can see 0x678128 is the RTF contents of the file, 0x4910 for the VBS script to start the offset. After the match after the Find script data, and finally call vbscirpt. dll execute the script.
! [](/Article/UploadPic/2017-4/201741510306624. png? www. myhack58. com)
Figure 6
! [](/Article/UploadPic/2017-4/201741510306413. png? www. myhack58. com)
Figure 7
Related thinking
The COM/OLE technology is Microsoft one of the major technical highlights, but for developers to provide a great convenience at the same time, the components of the feature-rich also creates many security risks, on the OLE caused by the security vulnerability can refer to the default settings Interoperability: An OLE Edition of the document. For CVE-2017-0199, which bypasses the Office to perform the script of the security measures, the OLE mechanism of the 3 a combination of characteristics leading to this vulnerability:
1. The OLE link object properties, itself provides a very flexible data storage and manipulation architecture.
2. The URL Moniker characteristics, the Office will not request the object type and the content-type to do the check is the result HTA script execution is an important reason, the remote request file according to the content-type to run the corresponding program, loading the execution data.
3. The Windows in the implementation of the HTA file, will match the search of the data stream, until it finds a script data stream.
These three characteristics of a single view there is no obvious security risks, to achieve as much as possible normal function, but the combination of these characteristics creating this vulnerability. Just fulfilled that sentence, the function of the powerful combination of the way the more security problems possibility will be greater. At the same time as CVE-2017-0199 this typical use of Windows characteristics, to achieve the attack effect, the security researchers presented a new test, I believe the future of this type of mechanism a combination of vulnerabilities also appear.