Lucene search

K
myhack58佚名MYHACK58:62201786816
HistoryJun 07, 2017 - 12:00 a.m.

CVE-2017-0199: in-depth analysis of the Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

2017-06-0700:00:00
佚名
www.myhack58.com
832

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

Recently, researchers also found a number of CVE-2017-0199 vulnerability of the sample. Although the Microsoft in this year 4 month has been released for the vulnerability the patch, but since its use is relatively simple, worldwide usage is still very high, here to share some of the phishing e-mail sample analysis report. Currently, most on the CVE-2017-0199 vulnerability article will discuss the focus on how to build a POC on this article another way, from the analysis of the vulnerability the patch departure to a higher-level perspective to resolve the vulnerability principle, and finally share some of the analysis sample the experience.
0x01 vulnerability patch analysis
Analysts will typically build a black-box test environment to observe a malicious code sample behavior. This idea can also be used in vulnerability patch function test, such as for CVE-2017-0199 vulnerability, the researchers used the latest Microsoft Office Suite, run some samples, to observe the patches of the operating mode. In the test, researchers found in a sample still able to successfully from the remote server to download payload and saved in the Internet Explorer temporary folder, and finally due to the patch of reason, the payload and not running.
After analysis, found that the bug fix involves two main components:
OLE32.dll: the 6.1.7601.23714 on Windows 7 x86
MSO.dll: the 14.0.7180.5002 on Microsoft Office 2010 on x86
The first sparring before the patch and unpatched OLE32. dll file to do a comparative analysis:
! [](/Article/UploadPic/2017-6/20176719652741. png? www. myhack58. com)
Figure 1: OLE32.dll 6.1.7601.23714 (left) and 6.1.7601. 23392 (right)
From Figure 1, the highlighted portion you can see the name of the function has been changed, presumably patch the new function, and then use IDA-Pro to do further analysis:
! [](/Article/UploadPic/2017-6/20176719652357. png? www. myhack58. com)
Figure 2: Use the IDA cross-reference to find FilterActivation function
By cross-reference to find the calling function FilerActivation, and now it can be two internal components of the function ICoGetClassObject and ICoCreateInstance call, and this two function has been upper for a COM object instantiation API such as CoCreateInstance and CoGetClassObject package.
For these COM function to do the comparison analysis, it can be preliminary assumed that this FilterActivation function is a response to CVE-2017-0199 vulnerability of a new function.
! [](/Article/UploadPic/2017-6/20176719652439. png? www. myhack58. com)
Figure 3: ICoCreateInstance a function of the comparison result
The following began to demonstrate this hypothesis.
First view FilterActivation function pseudo code:
! [](/Article/UploadPic/2017-6/20176719652317. png? www. myhack58. com)
Figure 4: FilterActivation pseudo-code
FilterActivation function first gets the cisid value of the parameter, and passes it to the one defined in the global variable g_ActvationFilter in the processing function, and g_ActvationFilter is in the COM initialization process is MSO. dll by CoRegisterActivationFilter function initialization, while the MSO. the dll is also included in the bug fix.
The following then look at the MSO. the dll initialization process, first from OLE32. dll get CoRegisterActivationFilter the API address, and then use the g_pActivationFilter as a parameter to call it:
! [](/Article/UploadPic/2017-6/20176719652262. png? www. myhack58. com)
Figure 5: The MSO. the dll initialization process
We know g_pActivationFilter is a pointer to the IActivationFilter type of pointer, also stored in the global variable g_ActvationFilter, and ultimately by static analysis and cross-reference to find its calling function: mso_IActivationFilterHandleActivation (): a
! [](/Article/UploadPic/2017-6/20176719652326. png? www. myhack58. com)
Figure 6: the static analysis and cross-reference to find the calling function
By looking at the function may also find some with access denied the relevant code:
CLSID_SCRIPTLET = {06290bd3-48aa-11d2-8432-006008c3fbfc}
CLSID_HTA = {3050f4d8-98b5-11cf-bb82-00aa00bdce0b}
CLSID_HTA is a representation of the Microsoft HTML Application file suffix. the hta’s global unique identifier, consists of 32 16 hexadecimal characters, the attacker can use its structure to achieve remote code execution purposes. For example, a Microsoft Office document you can specify a URL Moniker from a remote server to download the document the embedded resources.
By reading the MSDN on the MIME definitions described, if the remote server provides“application/hta”MIME type, then download the file will be Rwanda. exe is loaded to perform, in the background, the HTA of the COM object instance in the binding operation in the process of being created, after the CHANCES. the dll will call the CoCreateInstance function, which initializes the URL Moniker to. But in the latest version of OLE32. dll, FIlterActivation function in the COM object is initialized before its CLSID Value is filtered to detect, if the value of CLSID_HTA will not be shown in Figure 7. The
! [](/Article/UploadPic/2017-6/20176719652679. png? www. myhack58. com)
Figure 7: filtered detection
But from the code it can be seen CLSID_SCRIPTLET value is also not adopted. Here is a possible initialization scriptlet COM object of POC, but requires user interaction, such as clicking in the document with the“script:”or“scriptlets:”hyperlink. However, even if user interaction is required,“contains a hyperlink to the content of the document will lead to code execution”a fact which still sounds a bit bizarre to.
The following stack structure reflects the document in the hyperlink is clicked after execution of the process:
//
// Parse the moniker name “script:xxxxxx OR scriptlet:xxxxxx”
//
0:000> kb
ChildEBP RetAddr Args to Child

[1] [2] [3] next

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

Related for MYHACK58:62201786816