“The seismic network of the third generation”CVE-2017-8464 vulnerability analysis and early warning-vulnerability warning-the black bar safety net

Microsoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as the seismic network of the third generation, recently Metasploit published on the vulnerability of the PoC. [ This article is HanSight Han si original manuscript, for reprint please indicate the source！]
Microsoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as“earthquake network generation”, recently Metasploit published on the vulnerability of the PoC.
The vulnerability principle is the same as 2010, the United States and Israel to invade and destroy Iran’s nuclear facilities seismic network operations the use of penetrating nuclear isolation network Vulnerability, CVE-2010-2568 is very similar,“it can easily be exploited by hackers to attack the infrastructure, storage of key information on core isolation system.”
“When there is a vulnerability in the computer is plug in to save a vulnerable file of U disc, no need extra operation, exploits the program can perform and complete control of the user computer system” is.
Vulnerability PoC demo:
! [](/Article/UploadPic/2017-8/201789195027567. gif? www. myhack58. com)
The PoC for the LNK File format as shown below:
! [](/Article/UploadPic/2017-8/201789195027829. png? www. myhack58. com)
LNK File format the following figure
Typically contains a Link to the file header, LinkTargetIDList, the error pop-UPS, And StringData and the extradata property of.
! [](/Article/UploadPic/2017-8/201789195027941. jpg? www. myhack58. com)
The PoC relates to the important field, after the text will be explained.
Want to trigger this vulnerability, LNK files must have the LinkTargetIDList and the extradata property of the two Block. PoC File format figure in the second row of numbers 81, The representative is the LNK file header of the LinkFlags field, 81 is the meaning of the LNK file contains a LinkTargetIDList, and string using Unicode encoding. In LinkTargetIDList followed by is the extradata property, the present vulnerability is SpecialFolderDataBlock it.
LinkTargetIDList format the following figure
The PoC contains 3 item, wherein the item 2 containing the trigger the vulnerability after the automatic execution of the malicious DLL file path:
! [](/Article/UploadPic/2017-8/201789195027452. jpg? www. myhack58. com)
PoC IDListSize is 0x8E, which has 3 item, the first item The size is 0×14, and the second item The size is 0×14, and the third item The size is 0×64 in.
LinkTargetIDList included in the Item format is as follows:
! [](/Article/UploadPic/2017-8/201789195027566. jpg? www. myhack58. com)
The extradata property format the following figure
The vulnerability used is SpecialFolderDataBlock: the
! [](/Article/UploadPic/2017-8/201789195027884. jpg? www. myhack58. com)
To understand the Complete file formats, vulnerability principle not very complicated: finished parsing LinkTargetIDList after parsing SpecialFolderDataBlock, parsing SpecialFolderDataBlock process CShellLink::_DecodeSpecialFolder will according to which the offset 0×28 to find the front of the item 2, and will be one of the DLLload into memory to perform one of the DllMain. Due to this parsing process is in the explorer. exe in the implementation, so the corresponding load into memory a malicious DLL also has the same high permissions is generally High in.
The figure below is the PoC exploit is triggered when the call stack, as well as vulnerability after the implementation will load the malicious DLL into memory:
! [](/Article/UploadPic/2017-8/201789195027956. jpg? www. myhack58. com)
! [](/Article/UploadPic/2017-8/201789195027572. jpg? www. myhack58. com)
Patch comparison:
! [](/Article/UploadPic/2017-8/201789195027161. jpg? www. myhack58. com)
Microsoft in patch, by calling _IsRegisteredCPLApplet function of the DLL path validation failed will no longer call CPL_LoadCPLModule function.
HanSight solutions
HanSight Enterprise through the host log correlation analysis, summarizes the Stuxnet vulnerability in common, including the U disk plug acts and the host process behavior, etc., can detect such problems, and an alarm is generated: the
! [](/Article/UploadPic/2017-8/201789195027690. png? www. myhack58. com)
Prevention policy recommendations
1. Use HanSight Enterprise monitoring host behavior in a timely manner to warn the Troubleshooting process.
2. Update Windows operating system patches
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-8464
References
1. Metasploit
2. Shell Link (. LNK) File format:
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]. pdf