Shulou(Shulou.com)06/01 Report--

This article introduces what the Microsoft .NET Framework loophole is like, the content is very detailed, interested friends can refer to, hope to be helpful to you.

0x01 event background

On August 24th, 360Core Security Division captured a new type of office advanced threat attack. On the 12th, Microsoft carried out a large-scale security update, including CVE-2017-8759. At the same time, FireEye also announced its discovery of field use of CVE-2017-8759. Because the vulnerability has a wide range of influence and is not difficult to exploit, 360CERT urgently follows up and analyzes it. Issue an early warning notice.

0x02 hazard level

[+] serious

0x03 event background

Microsoft .NET Framework 4.7

Microsoft .NET Framework 4.6.2

Microsoft .NET Framework 4.6.1

Microsoft .NET Framework 4.6

Microsoft .NET Framework 4.5.2

Microsoft .NET Framework 3.5.1

Microsoft .NET Framework 3.5

Microsoft .NET Framework 2.0 SP2

0x04 vulnerability location

The CVE-2017-8759 vulnerability is due to improper handling of wsdl's xml. If the data provided contains CRLF sequences, IsValidUrl will not perform correct validation. Refer to the .NET source code and locate the problem handling API:

And vulnerability trigger points.

The function generates logo.cs here and calls csc.exe to compile to dll, capturing the cs source file and the generated dll.

The whole process is as follows:

1. Request a malicious SOAP WSDL

2. Improper IsValidUrl verification in System.Runtime.Remoting.ni.dll of .NET Framework

3. Malicious code is written to the cs file through the PrintClientProxy in the System.Runtime.Remoting.ni.dll of .NET Framework.

4. Csc.exe compiles cs files to dll

5. Office loads dll

6. Execute malicious code

0x05 event background

0x06 repair scheme

In view of the attack samples of this vulnerability, 360 security guards have followed up and killed at the first time, asking the majority of users not to open office documents with unknown sources in the near future, while relevant units also need to be vigilant against targeted attacks of such 0day vulnerabilities, and use 360 security guards to install vulnerability patches and defend against possible vulnerability attacks.

Security Bulletin: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759

So much for sharing about Microsoft .NET Framework vulnerabilities. I hope the above content can be of some help to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.