7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
0x00 Preface
Recently, researchers also found a number of CVE-2017-0199 vulnerability of the sample. Although the Microsoft in this year 4 month has been released for the vulnerability the patch, but since its use is relatively simple, worldwide usage is still very high, here to share some of the phishing e-mail sample analysis report. Currently, most on the CVE-2017-0199 vulnerability article will discuss the focus on how to build a POC on this article another way, from the analysis of the vulnerability the patch departure to a higher-level perspective to resolve the vulnerability principle, and finally share some of the analysis sample the experience.
0x01 vulnerability patch analysis
Analysts will typically build a black-box test environment to observe a malicious code sample behavior. This idea can also be used in vulnerability patch function test, such as for CVE-2017-0199 vulnerability, the researchers used the latest Microsoft Office Suite, run some samples, to observe the patches of the operating mode. In the test, researchers found in a sample still able to successfully from the remote server to download payload and saved in the Internet Explorer temporary folder, and finally due to the patch of reason, the payload and not running.
After analysis, found that the bug fix involves two main components:
OLE32.dll: the 6.1.7601.23714 on Windows 7 x86
MSO.dll: the 14.0.7180.5002 on Microsoft Office 2010 on x86
The first sparring before the patch and unpatched OLE32. dll file to do a comparative analysis:
! [](/Article/UploadPic/2017-6/201768104356359. png)
Figure 1: OLE32.dll 6.1.7601.23714 (left) and 6.1.7601. 23392 (right)
From Figure 1, the highlighted portion you can see the name of the function has been changed, presumably patch the new function, and then use IDA-Pro to do further analysis:
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%