The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net

This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized.
Hope this article can help to follow-up engaged in office vulnerability research.

Overview
From 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the).
We first look at the specific CVE number.
Year
Number
2010
CVE-2010-3333
2011
CVE-2011-0609/CVE-2011-0611
2012
CVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856
2013
CVE-2013-0634/CVE-2013-3906
2014
CVE-2014-1761/CVE-2014-4114/CVE-2014-6352
2015
CVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645
2016
CVE-2016-4117/CVE-2016-7193/CVE-2016-7855
2017
CVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292
2018
CVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982
Our first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class.
Component type
Number
RTF control word parsing problem
CVE-2010-3333/CVE-2014-1761/CVE-2016-7193
The Open XML tag parsing problem
CVE-2015-1641/CVE-2017-11826
ActiveX control to resolve the problem
CVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802
Office embedded Flash vulnerabilities
CVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982
Office TIFF image parsing vulnerability
CVE-2013-3906
Office EPS file parsing vulnerability
CVE-2015-2545/CVE-2017-0261/CVE-2017-0262
By means of the Moniker the loading vulnerability
CVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373
Other Office logic vulnerability
CVE-2014-4114/CVE-2014-6352/CVE-2015-0097
We then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher’s articles
Vulnerability type
Number
Stack Overflow(Stack Overflow)
CVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802
Stack bounds write(Out-of-bound Write)
CVE-2014-1761/CVE-2016-7193
Type confusion(Type Confusion)
CVE-2015-1641/CVE-2017-11826/CVE-2017-0262
After the release of reuse(Use After Free)
CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373
Integer overflow(Integer Overflow)
CVE-2013-3906
Logic vulnerabilities(Logical vulnerability)
CVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759
Next We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities.

RTF control word parsing problem
CVE-2010-3333
The vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability.
On the vulnerability analysis of the article to see snow on a lot, the following are a few articles.
CVE-2010-3333 vulnerability analysis(in depth analysis)
MS10-087 from vulnerability to patch to the POC
The vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters.
CVE-2014-1761
The vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability.
Li Hai fly was on the vulnerability done a very wonderful analysis.
A Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers
See snow forum is also related to the vulnerability of the two high-quality analysis articles.
CVE-2014-1761 analysis notes
ms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment
The security agent is also related to the vulnerability of a high-quality analysis.
Hand to hand teach you how to construct the office exploits EXP（the third period）
In addition, South Korea’s AhnLab also made a post about this vulnerability report.
Analysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761
Debugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment.
CVE-2016-7193
The vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is.
It is also a heap memory bounds write vulnerability.
Baidu Security Labs has worked on the vulnerability done a more complete analysis.
APT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret
I also worked on the vulnerability of the use of writing to share through an article analysis.
Combined with a field sample to construct a cve-2016-7193 bomb calculator use

The Open XML tag parsing problem
CVE-2015-1641
Google 0day summary table will be listed for 2015 0day one.
This is a type confusion vulnerability.
About the vulnerability, the fly tower has written an article analysis article.
The Curious Case Of The Document Exploiting An Unknown Vulnerability – Part 1
Ali safe is also about the vulnerability wrote a wonderful analysis.
word type confusion vulnerability CVE-2015-1641 analysis
The security agent also has the vulnerability of a wonderful analysis.
Hand to hand teach you how to construct the office exploits EXP（fourth period）
Know Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis.
CVE-2015-1641 Word using the sample analysis
I’ve also written relates to the vulnerability of the principles of an article to share.
The Open XML tag parsing class vulnerability analysis ideas
In debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller.

[1] [2] [3] [4] next