Shulou(Shulou.com)05/31 Report--

The purpose of this article is to share with you the field samples and loophole analysis of CVE-2017-8570. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

Overview

The threat Intelligence Center released the "CVE-2017-8570 samples of Oolong and the Dog Blood behind" (see reference [1]) in August 2017. at that time, because a number of malicious samples of Office slide documents labeled CVE-2017-8570 were found on VirusTotal, some security manufacturers claimed to have captured the latest Office CVE-2017-8570 field exploitation vulnerability samples at the first time, but after the analysis and judgment of the threat Intelligence Center. These Exploit samples are actually another use of CVE-2017-0199 (executing Scriptletfile scripts via Office slide loading), which was patched in Microsoft's April 2017 patch for CVE-2017-0199.

The threat Intelligence Center just monitored the first real CVE-2017-8570 field attack sample on the Internet. Based on the data of the threat Intelligence Center, the following thermal map shows the submission of CVE-2017-8570 sample size since January 11, 2018. You can see that once the vulnerability Exploit is publicly used, it will be frequently used by attackers:

In addition, because CVE-2017-0199 has inherent defects (we will describe this part in the following chapter), in fact, the threat of using samples of CVE-2017-0199 on Office Word is not great, but CVE-2017-8570 does not have this defect, so the actual effect of 8570 on Office Word is much better than 0199, but the construction of POC is relatively difficult, which is one of the reasons why field use was not found in the first place.

Sample analysis

The vulnerability is still unexploited or not yet known to be exploited:

It was not until around January 11, 2018 that the threat Intelligence Center found the first RTF sample using CVE-2017-8570 in the wild, and then the number of attack samples using CVE-2017-8570 vulnerability gradually increased, and we selected a recent real attack sample for analysis.

Analysis of RTF samples used in the field

Since there are almost no real CVE-2017-8570 vulnerability samples before this month, the detection rate of this vulnerability is not ideal. According to the VirusTotal detection of the attack samples we analyze next, only 11 of the 57 attack samples can be checked and killed:

Malicious RTF sample analysis:

The sample takes advantage of the feature that the RTF document will automatically release the Package object to the% tmp% directory in the system after VISTA. The malicious Scriptletfile (.sct) script file will be inserted as a Package object in the document. After the victim opens the RTF document, the Scriptletfile (.sct) script file in the Package object will be automatically released to the% tmp% directory.

The sample inserts two key Objdata, one of which is the Package object, which actually contains a Scriptletfile (.sct) script file:

The other is the OLE2Link object that contains the CVE-2017-8570 vulnerability:

After opening the RTF document, the Package object is automatically released to the% tmp% directory, and the inserted Package object is actually a malicious Scriptletfile (.sct) script file.

Another OLE2Link object is used to trigger the vulnerability. After the vulnerability is successfully triggered, the MUZTWOWEZTHOBKW.sct script in the% tmp% directory will be loaded and executed directly.

Composite Moniker is used in the OLE2Link object containing the vulnerability to "bind" a File Moniker, while File Moniker, as its name implies, specifies a file, and the File Moniker in the vulnerability sample specifies the sct script file in the local% tmp% directory, and the sct script file happens to be released from the Package object:

After FileMoniker detects that the loaded file has a suffix of .sct, it loads and executes the Scriptletfile script file through the COM interface.

Payload

According to the analysis, it is found that the Payload used in the sample is FormBook remote control software, and FormBook is a remote control software based on secret theft. FireEye has reported that APT organizations have used FormBook as a Payload to launch phishing attacks against US and South Korean aerospace companies, defense contractors and some manufacturing companies.

The sample is written in VB. After running, it first creates a new self-process in a suspended state, then decrypts the real malicious code, then uses ZwWriteVirtualMemory to write the malicious code into the newly created zombie process, and finally starts the zombie process to execute the malicious code. The zombie process first iterates through the process list to find Explorer.exe, and uses NtMapViewOfSection to inject ShellCode into Explorer.exe:

The ShellCode injected into Explorer will randomly select an exe file under% systemroot%\ system32 and inject ShellCode again as a zombie process, and the new zombie process will delete the original virus sample and re-inject ShellCode into Explorer.exe, which is the final executed malicious code. The malicious code then connects to the ClearC server and sends the connection request in Get:

Execute the corresponding Trojan function by judging the clockC instruction and the special "FBNG" string flag:

Receive instructions and corresponding Trojan functions:

Function number function description 1 download execute 2 Trojan version update 3 self clear 4 use ShellExecute execute command 5 clear browser Cookie6 restart 7 shutdown 8 collect browser password, screenshot 9 download ZIP file

Trojan execution process

Exploit source

On January 9, 2018, a security researcher uploaded a vulnerability construction tool for CVE-2018-8570 on GitHub (https://github.com/rxwx/CVE-2017-8570). Through analysis, the threat Intelligence Center confirmed that the tool was indeed an Exploit construction tool for CVE-2018-8570, and almost all the attack samples captured were generated using this tool.

Given that the technical details and verification procedures related to the vulnerability have been made public, it is highly likely that this vulnerability will then be exploited to carry out large-scale attacks.

Vulnerability analysis vulnerability overview

Microsoft fixed this remote command execution vulnerability for Office (CVE-2017-8570) in a security update in July 2017. the vulnerability actually exploits the Composite Moniker object in Office OLE to execute the remote / local ScriptletFile (.sct) script file specified by the File Moniker object directly in Office without security checking in the process of combining File Moniker object.

Microsoft fix CVE-2017-0199 actually disables the htafile object and the script object in Office, but not the ScriptletFile object. Because the ScriptletFile (.sct) script can be executed through Composite Moniker, which is equivalent to bypassing the patch fix of CVE-2017-0199, Microsoft disabled the ScriptletFile object in the patch fix for CVE-2017-8570:

April 2017, fix CVE-2017-0199, disable htafile object and script object

Disabled CLSIDProgIDCVE {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} htafileCVE-2017-0199 {06290BD3-48AA-11D2-8432-006008C3FBFC} scriptCVE-2017-0199

July 2017, fix CVE-2017-8570 and disable ScriptletFile object

Disabled CLSIDProgIDCVE {06290BD2-48AA-11D2-8432-006008C3FBFC}

ScriptletFileCVE-2017-8570

Composite Moniker

The purpose of the Composite Moniker object is to define a Moniker object as a new Moniker object (NewMoniker), or to combine multiple Moniker objects, such as using a Composite Moniker object to combine two File Moniker objects into one. Suppose the Composite Moniker object contains two File Moniker objects:

File Moniker 1: "c:\ work\ art" File Moniker 2: "..\ backup\ myfile.doc"

When combined with the Composite Moniker object, you get a File Moniker object with the full file path: "c:\ work\ backup\ myfile.doc".

There are three Moniker objects in the sample that triggered the vulnerability, which are:

Composite Moniker: {00000309-0000-0000-C000-00000046} File Moniker: {00000303-0000-0000-C000-0000000046} New Moniker: {ECABAFC6-7F19-11D2-978E-0000F8757E2A}

The Composite Moniker in the sample defines File Moniker as a new New Moniker object:

Execute ScriptletFile script

When CompositeMoniker defines File Moniker as a new New Moniker object, it calls the IMoniker::BindToObject method to Bind File Moniker. The prototype of the IMoniker::BindToObject function is as follows:

HRESULT BindToObject ([in] IBindCtx * pbc, [in] IMoniker * pmkToLeft, [in] REFIID riidResult, [out] void * * ppvResult)

PmkToLeft points to FileMoniker, and the file specified by FileMoniker in the sample is:% tmp%\ MUZTWOWEZTHOBKW.sct. Because FileMoniker needs to initialize the specified file, the object automatically looks for the interface to process the .sct file in the registry when it detects the file suffix .sct:

Determine the .sct suffix

CLISD of the associated scriptletfile

Positioning processing interface

After finding the processing interface for processing .sct files, call the corresponding interface to start the .sct script execution environment, and execute the script, and stack backtracking shows the entire process execution process:

0VUR 000 > kChildEBP RetAddr 0037abe8 62e048ffjscriptScriptRuntimeRuntimeRunRunScriptScriptScriptScriptScriptScriptRuntimeRun

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.