Posts

RTF exploits in the wild

SonicWall Threat Research lab is seeing a huge volume of RTF exploits with embedded OLE objects exploiting the Microsoft vulnerabilities (CVE-2017-11882  &  CVE-2017-0199 ). CVE-2017-11882 is because of incorrect handling of embedded Equation Editor OLE objects in Office documents and  CVE-2017-0199  is due to incorrect parsing of embedded OLE2Link objects. Successful exploitation in both the cases can lead to arbitrary code execution under the context of the host.

Infection cycle:

This gets started by sending phishing campaign to the target user either with an attachment or a link to a compromised website hosting the malicious document. Malicious document can either be a Word or PDF  with embedded (.rtf) Rich Text Format file.  Upon launching the main document, embedded .rtf file which actually exploits the above mentioned vulnerabilities get exported & executed. When .rtf file is done exploiting, control returns to the attacker’s specified address where the shell code is present. When shell code gets executed, it brings down the payload from the remote server and execute it on the compromised machine. We see many variants of final payloads getting delivered through these exploits and upon execution they create a reverse shell and give the attacker control over the host.

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Prevalence Map:

This can be mitigated by using the up-to-date software with all the security patches. Enable protected view for office documents and do not allow editing of RTF files.  Review carefully before editing or doing anything that requires Protected View to be disabled.

SonicWALL Threat Research Lab provides protection against this threat via the following signatures

  • GAV: 23807  CVE2017-11882.BJ_2
  • SPY: 5164 Malformed-File pdf.MP.316

"Double Kill", CVE-2018-8174

Vulnerability Info:

A zero day exploit was discovered in the Microsoft VBScript engine around the middle of April called “Double Kill”. The (RCE) Remote Code Execution vulnerability is labeled as a (UAF) Use-After-Free memory corruption bug. Weaponizing this exploit using arbitrary code could gain the attacker the same user rights as the current user. The vulnerability was given the CVE-ID of (CVE-2018-8174).

 

Other Vulnerabilities Being Used:

CVE-2018-8174 isn’t the only Windows vulnerability being reported and used in the wild. Attackers are also exploiting Microsoft Office documents with the “OLE Autolink Object Exploit” (CVE-2017-0199, considered Stage 1) to send out requests to remote servers for new and exciting payloads aka (Stage 2 Packages). Once the victim receives (Stage 1) the initial malicious Microsoft Word document will visit a remote server to pull down another type of file (Stage 2) with either the “Content-Type” of “application/hta” or “text/scriptlet” that will use the exploit (CVE-2018-8174) to trigger the next stage of the infection chain. Lets trace through the first stage together.

 

CVE-2017-0199 Walk-through:

Following (Stage 1): b48ddad351dd16e4b24f3909c53c8901, the Microsoft Office (.rtf) document. The file leverages (CVE-2017-0199), lets dump the (Nesting Levels) with our favorite .rtf application:

From the output above we can peer inside the following objects 311, 314, 317, 320, 321 and 322. Using a few basic YARA signatures to search for ( http & RTF_Object ) strings we can check each object of interest. We see the following output:

Item 317 shows the following data:

Item 311 shows the following data:

When we peer inside one of the other items say, item 320. We will see the following (Unicode) data. Directly above this (Unicode) data at location (0x14C0) we will see what is considered to be the shellcode to execute the url in this data. However, we will not cover the shellcode at this time.

The following GET Request would look like:

We could follow this into (Stage 2) next. However, You can see from the technique we used above. Sometimes you have to fish around until you find the correct object that has the web link and shellcode. This would be an example script for (Stage 2). It normally would also have a “HTTP” header from the remote server with it:

Exploit Kits Being Used:

With the “Double Kill” exploit weaponized and the code being built into RIG EK, corporate organizations that haven’t patched (CVE-2018-8174) will be vulnerable to the attackers delivery methods. Weaponized source code has also been seen in the ThreadKit, an exploit builder that can be used to create weaponized Microsoft Office Documents. It’s accessible to cyber criminals with little technical expertise (script kiddies). The Double Kill exploit option is said to be for purchase at or around $400 dollars a download online. An exploit kit lures victims to a malicious website and infects them through the browser; this one lets attackers create weaponized Microsoft Office documents that can be distributed however the attacker wants.

 

CVE-2018-8174 Walk-through:

The code below exploits the VBScript vulnerability by using the deprecated method Class_Terminate(). The code will overload the Class_Terminate() method being destroyed. The Class_Terminate() method adds a reference, that VBScriptClass:Release() fails to check. Resulting in a (UAF) Use-After-Free vulnerability when the added reference is accessed.

Note that the Pageheap must be enabled in order to trigger the crash in a stable manner. We do this by running gflags.exe with the command ( gflags /i iexplorer.exe +ust +hpa ). Once the command is executed we can now show a proof of concept that has been tested on Windows 7 inside iexplorer.exe below:

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Updates and Micro-Patches:

The flaw exists in all versions of Windows, Microsoft has already released a patch back in May. Users are reporting Windows 7 updates are causing networking issues. The network issues may cause some users to decide not to update their computers which would leave them open to attack. On Tuesday June 12th, Microsoft will release another patch. There is a good chance that an update will be released for Windows 7 users.

 

Detection & Classification:

SonicWALL Threat Lab Research Team provides protection against this threat via the following signature:

  • IPS: 4601 HTTP Client Shellcode Exploit 1

CVE-2017-0199 attacks still active

Microsoft Office allows remote attackers to execute arbitrary code via a crafted document described as Microsoft Office/WordPad Remote Code Execution Vulnerability. CVE-2017-0199 attacks are still active.
The SonicWall Capture Labs Threat Research team observed a surge of these attacks in July, after the zero day was first discovered in April.

The malicious rtf document contains objautlink object with embedded link in it.

The document has references to outside link, which it updates when the user opens the document.

The document makes following http calls to attacker’s website.

And downloads script.

After deocding the script we see that the script is downloading and running some malicious executable files.

SonicWall Capture Labs Threat Research team has researched this vulnerability and released following signature to protect their customers.

  • SPY 1446 :Malformed-File rtf.MP.17
  • GAV: CVE-2017-0199.A
  • GAV: CVE-2017-0199

Recent Microsoft Office Zero Day (CVE-2017-0199) attacks spotted in the wild (Apr 13, 2017)

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.”

The attack comes in the form of malicious word document with embedded malicious link in the objautlink object. The objautlink in rtf is an object type of OLE autolink. This link tries to connect to the attacker’s webserver, and downloads malicious script.

Decoding the rtf files gives you the url(s) the attacker is trying to connect to.

The original rtf data:

Decoded to hex which further gives the URL:

Another example:

The malicious script:

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • SPY 1446 :Malformed-File rtf.MP.17
  • GAV: CVE-2017-0199.A

Microsoft Security Bulletin Coverage for April 2017

SonicWall has analyzed and addressed Microsoft and Adobe’s security advisories for the month of April, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0058 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0093 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0106 Microsoft Outlook Remote Code Execution Vulnerability
    SPY:4460 Malformed-File rtf.MP.18
  • CVE-2017-0155 Windows Graphics Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0156 Windows Graphics Component Elevation of Privilege Vulnerability
    SPY:1450 Malformed-File exe.MP.30
  • CVE-2017-0158 Scripting Engine Memory Corruption Vulnerability
    IPS:12715 Scripting Engine Memory Corruption Vulnerability (APR 17) 2
  • CVE-2017-0159 ADFS Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0160 .NET Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0162 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0163 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0164 Active Directory Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0165 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0166 LDAP Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0167 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0168 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0169 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0178 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0179 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0180 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0181 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0182 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0183 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0184 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0185 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0186 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0188 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0189 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0191 Windows Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0192 ATMFD.dll Information Disclosure Vulnerability
    SPY:1433 Malformed-File pfb.MP.2
  • CVE-2017-0194 Microsoft Office Memory Corruption Vulnerability
    IPS:12716 Microsoft Office Memory Corruption Vulnerability (APR 17)
  • CVE-2017-0195 Microsoft Office XSS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0197 Office DLL Loading Vulnerability
    IPS:12718 ceutil.dll Insecure Library Loading
  • CVE-2017-0199 Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API
    SPY:1446 Malformed-File rtf.MP.17
  • CVE-2017-0200 Microsoft Edge Memory Corruption Vulnerability
    IPS:12717 Microsoft Edge Memory Corruption Vulnerability (APR 17) 2
  • CVE-2017-0201 Scripting Engine Memory Corruption Vulnerability
    IPS:12708 Scripting Engine Memory Corruption Vulnerability (APR 17) 1
  • CVE-2017-0202 Internet Explorer Memory Corruption Vulnerability
    IPS:12709 Internet Explorer Memory Corruption Vulnerability (APR 17) 1
  • CVE-2017-0203 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0204 Microsoft Office Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0205 Microsoft Edge Memory Corruption Vulnerability
    IPS:12710 Microsoft Edge Memory Corruption Vulnerability (APR 17) 1
  • CVE-2017-0207 Microsoft Office Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0208 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0210 Internet Explorer Elevation of Privilege Vulnerability
    IPS:12712 Internet Explorer Elevation of Privilege (APR 17) 1
  • CVE-2017-0211 Windows OLE Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-6629 libjpeg Information Disclosure Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

APSB17-10 Security updates for Adobe Flash Player:

  • CVE-2017-3058 Adobe Flash Player Use After Free Vulnerability
    Spy:1417 Malformed-File swf.MP.549
  • CVE-2017-3059 Adobe Flash Player Use After Free Vulnerability
    Spy:1418 Malformed-File swf.MP.550
  • CVE-2017-3060 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1419 Malformed-File swf.MP.551
  • CVE-2017-3061 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1420 Malformed-File swf.MP.552
  • CVE-2017-3062 Adobe Flash Player Use After Free Vulnerability
    Spy:1421 Malformed-File swf.MP.553
  • CVE-2017-3063 Adobe Flash Player Use After Free Vulnerability
    Spy:1422 Malformed-File swf.MP.554
  • CVE-2017-3064 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1423 Malformed-File swf.MP.555

APSB17-11 Security Updates for Adobe Acrobat and Reader:

  • CVE-2017-3013 Adobe Acrobat Reader Insecure Library Loading Vulnerability
    Spy:1406 M
    alformed-File pdf.MP.219
  • CVE-2017-3014 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1407 Malformed-File pdf.MP.220
  • CVE-2017-3017 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1408 Malformed-File pdf.MP.221
  • CVE-2017-3019 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1409 Malformed-File pdf.MP.222
  • CVE-2017-3020 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1410 Malformed-File pdf.MP.223
  • CVE-2017-3021 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1411 Malformed-File pdf.MP.224
  • CVE-2017-3022 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1412 Malformed-File pdf.MP.225
  • CVE-2017-3023 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1413 Malformed-File pdf.MP.226
  • CVE-2017-3024 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1414 Malformed-File pdf.MP.227
  • CVE-2017-3025 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1415 Malformed-File pdf.MP.228
  • CVE-2017-3026 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1416 Malformed-File pdf.MP.229
  • CVE-2017-3029 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1405 Malformed-File pdf.MP.218
  • CVE-2017-3032 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1424 Malformed-File pdf.MP.235
  • CVE-2017-3033 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1432 Malformed-File pdf.MP.232
  • CVE-2017-3042 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1425 Malformed-File tif.MP.5
    Spy:1426 Malformed-File tif.MP.6
    Spy:1428 Malformed-File tif.MP.7

  • CVE-2017-3044 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1430 Malformed-File pdf.MP.230
  • CVE-2017-3045 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1431 Malformed-File pdf.MP.231
  • CVE-2017-3046 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1434 Malformed-File pdf.MP.233
  • CVE-2017-3047 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1435 Malformed-File pdf.MP.234
  • CVE-2017-3048 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1436 Malformed-File tif.MP.8
  • CVE-2017-3049 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1437 Malformed-File tif.MP.9
  • CVE-2017-3050 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1438 Malformed-File gif.MP.1
  • CVE-2017-3051 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1441 Malformed-File jpg.MP.5
  • CVE-2017-3052 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1443 Malformed-File emf.MP.13
    Spy:1445 Malformed-File emf.MP.14
  • CVE-2017-3053 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1447 Malformed-File jpg.MP.6
  • CVE-2017-3055 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1448 Malformed-File pdf.MP.237
  • CVE-2017-3056 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:4237 Malformed-File pdf.MP.238
  • CVE-2017-3057 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1449 Malformed-File pdf.MP.236