CVE-2017-0199: in-depth analysis of the Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

0x00 Preface

Recently, researchers also found a number of CVE-2017-0199 vulnerability of the sample. Although the Microsoft in this year 4 month has been released for the vulnerability the patch, but since its use is relatively simple, worldwide usage is still very high, here to share some of the phishing e-mail sample analysis report. Currently, most on the CVE-2017-0199 vulnerability article will discuss the focus on how to build a POC on this article another way, from the analysis of the vulnerability the patch departure to a higher-level perspective to resolve the vulnerability principle, and finally share some of the analysis sample the experience.

0x01 vulnerability patch analysis

Analysts will typically build a black-box test environment to observe a malicious code sample behavior. This idea can also be used in vulnerability patch function test, such as for CVE-2017-0199 vulnerability, the researchers used the latest Microsoft Office Suite, run some samples, to observe the patches of the operating mode. In the test, researchers found in a sample still able to successfully from the remote server to download payload and saved in the Internet Explorer temporary folder, and finally due to the patch of reason, the payload and not running.

After analysis, found that the bug fix involves two main components:

OLE32.dll: the 6.1.7601.23714 on Windows 7 x86

MSO.dll: the 14.0.7180.5002 on Microsoft Office 2010 on x86

The first sparring before the patch and unpatched OLE32. dll file to do a comparative analysis:

! [](/Article/UploadPic/2017-6/201768104356359. png)

Figure 1: OLE32.dll 6.1.7601.23714 (left) and 6.1.7601. 23392 (right)

From Figure 1, the highlighted portion you can see the name of the function has been changed, presumably patch the new function, and then use IDA-Pro to do further analysis:

[1] [2] [3] [4] [5] [6] [7] next