Lucene search

K
myhack58佚名MYHACK58:62201789425
HistorySep 21, 2017 - 12:00 a.m.

The latest exposure of the RTF vulnerability beside the use of research to explore the topic guide-vulnerability warning-the black bar safety net

2017-09-2100:00:00
佚名
www.myhack58.com
334

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

0×1 details
In recent days, Tencent computer housekeeper to capture a new office document virus samples, 经阐发为9月12号刚被微软修复的.NET Framework vulnerability flaws bug(CVE-2017-8759 the fields of intrusion samples. The vulnerability flaws of the bug with the previous rtf vulnerabilities flaws bug(CVE-2017-0199 the same, just the user closes a malicious Trojan virus Office documents will be caught.
0×2 CVE-2017-8759 vulnerability flaws bug the fulfilment elucidating
CVE-2017-8759本质上是一个.net framework vulnerability flaws bug, 影响所有主流的.NET Framework version:
Microsoft . NET Framework 4.6.2
Microsoft . NET Framework 4.6.1
Microsoft . NET Framework 3.5.1
Microsoft . NET Framework 4.7
Microsoft . NET Framework 4.6
Microsoft . NET Framework 4.5.2
Microsoft . NET Framework 3.5
Microsoft . NET Framework 2.0 SP2

After the mainstream windows 7, windows 10等操纵系统平台中都默许安装了.NET Framework, 任何应用SOAP办事的软件都能经由过程.NET Framework is triggered. While it can be integrated into an office document, the user simply double-click the close an office document, without the rest of the manipulation, you can trigger the vulnerability flaws bugs, the complete feel free to rate code implementation. Vulnerability flaws bug at http://referencesource. microsoft. com/#System. Runtime. Remoting/metadata/wsdl PrintClientProxy function, the function used to parse the wsdl file and the information obtained after pattern formation. cs code parser. cs:
! [](/Article/UploadPic/2017-9/201792123156489. png? www. myhack58. com)
Figure 1: parser. cs sector code
soap:address location specifies the SOAP URL of the location at 6142 row, 6149 row, call the WsdlParser. IsValidUrl()function to the pattern of the location specifies the URL location:
! [](/Article/UploadPic/2017-9/201792123156471. png? www. myhack58. com)
Figure 2: IsValidUrl function code snippet
This function of the efficacy of a brief, the analysis to obtain the URL location of the back combined with@”and end coupled with the”, To, for example:
string value output to the URL location is http://guanjia. qq. com, will be the pattern to@”http://guanjia.qq.com”to to the caller. 6148 row, 6149 lines, 6150 line three-line code pattern into the following code:
// the base. ConfigureProxy(this. GetType(), @””http://guanjia.qq.com
A wsdl file can specify multiple location, from the above code can be seen, as long as the first location is useful, from the second start will be coupled with the body identifier of the//, the full URL of the location will be seen as the text content is output to. cs code, then will the creation of the csc. exe process, which compiled born with a name similar to http*****. dll, this DLL will be loaded into the office process, because the ultimate compilation born. dll outside does not contain the text of the URL locations, in normal circumstances, here does not have any achievements.
What, then WsdlParser. IsValidUrl()function is not to weigh the output of the string value will contain a newline character to the environment, for example, we captured a sample, specify the following shown in one location:
! [](/Article/UploadPic/2017-9/201792123156751. png? www. myhack58. com)
Figure 3: snap to the sample location code
WsdlParser. IsValidUrl()function pattern, will be born the following code:
! [](/Article/UploadPic/2017-9/201792123156206. png? www. myhack58. com)
Figure 4: Britain at the end IsValidUrl pattern of future generations of code
We can see the body of the identifier//only the body of the base. ConfigureProxy(this. GetType (),@”;, because the newline is there, it is not the body off the next 4 lines of code, The code will be compiled to the end of the age born of http*****. dll is an office procedure after the load to fulfill.
Is malicious Trojan virus sample simply particular structure of the soap xml, as
! [](/Article/UploadPic/2017-9/201792123156630. png? www. myhack58. com)
Figure 5: a malicious Trojan virus the structure of the soap xml code
Then via a process System. Diagnostics. Process. Start(_url. Split(‘?’) [1], _url. Split(‘?’) [2]);this line of code will be able to the creation of the Rwanda. exe process, and then pull the corresponding script perform malicious Trojan virus code.
0×3 sample elucidating
Capture to the fields of application of the sample via a process mailbox stop the spread, the main invasion attack tools include foreign trade things practitioners. Invasion attacker to intrusion attacks aimed at transmitting vertical nylon message, and then included with the application vulnerability flaws bug the structure of the order. doc the document, the lure is the invasion of the attack of the user shut. And once accidentally closed the document, it will trigger the vulnerability flaws bugs is dill plant on the remote control Trojan, incur 隐衷 information revealed.
Sample procedure to start the enterprise the following:
! [](/Article/UploadPic/2017-9/201792123156892. png? www. myhack58. com)
Figure 6: sample start the stakeholder chain
1, document fulfillment elucidating: the
The document closed, will be from the Do Controller http://endlesspaws[.] com/plas/word[.] db, pull db file, and that file embedded in a VBScript script, by Rwanda. exe analysis performance:
! [](/Article/UploadPic/2017-9/201792123156288. png? www. myhack58. com)
Figure 7: embedding the VBScript script code
It plays the first will be clearing out now profile born. cs code file, a compiled born. pdb, the. dll file, which will be further from the invasion of the attacker moderation for the long haul-do Controller the relay socket to download the Trojan file to a:
http://endlesspaws[.] com/plas/under[.] php? hhh=5 in.
2, virus a elucidating: the
The sample is a downloader, it will inherit from the virus-do download virus file b:
http://endlesspaws[.] com/plas/under[.] php? hhh=2

[1] [2] next

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%